MicrostockGroup

Microstock Photography Forum - General => General Stock Discussion => Topic started by: Whiz on February 27, 2009, 15:28

Title: Why No HTTPS?
Post by: Whiz on February 27, 2009, 15:28

Is it really that difficult to implement an Https website? To be fair, of the big six, Dreamstime and Stockxpert both use Https. But the others don't. I'm under the understanding that Https will encrypt everything; thus, making it more secure. Perhaps the other sites use something else? Not a rant, just curious.

Title: Re: Why No HTTPS?
Post by: disorderly on February 27, 2009, 15:37

The short answer is that HTTPS is expensive.  All that encryption and decryption adds significantly to server load.  It's worth doing when confidential information is being passed, but the rest of the time it's just overhead with no benefit.

Title: Re: Why No HTTPS?
Post by: zymmetricaldotcom on February 27, 2009, 16:08

We pay $800 or so a year for securing the 9 websites of Zymmetrical. It is well worth it, in both consumer confidence as well as real security. Considering many photographers are on the go and traveling around, you never know who is sniffing your packets.  I don't know anyone that would trade off a fraction of a second in increased pageload time on a few key pages like registration, login or shopping cart, vs. the potential of having their account or worse credit card info compromised.

Title: Re: Why No HTTPS?
Post by: disorderly on February 27, 2009, 16:26

In case I wasn't clear, I wasn't arguing against the value of HTTPS for confidential data.  Logins should always be secure, as well as pagest that pass credit card information.  But for everything else, the question is whether the overhead is justified by the risk of abuse if the information gets out.  Personally, I don't care if someone can discover that someone at my IP address ordered those videos, as long as they can't get to information that will permit them to impersonate me.

Title: Re: Why No HTTPS?
Post by: zymmetricaldotcom on February 27, 2009, 18:07

Yup I kind of thought about that after answering - of course everything can't be encrypted right now - it's basically just too slow to be practical.  Maybe in a few more years when everyone has fiber to the door, people can be entitled to encryption on everything they do, but for now it's just not a reasonable tradeoff. Security has to start at the source: the business practices of the companies that deal with the data. As we've seen lately, even Facebook makes (political) blunders with such data.

Title: Re: Why No HTTPS?
Post by: araminta on February 28, 2009, 05:07

To reply to the initial question, you don't have to implement anything: this is just a web server configuration. From a technical point of view, it is just plain easy.