On 30 April 2013 18:27, Petr Bena <benapetr(a)gmail.com> wrote:
SSL is requiring more CPU, both on server and client
and disable all
kinds of cache (such as squid or varnish), and some browsers may have
problems with it OR in some countries encryption may be even illegal.
Whatever you are going to do, you should let people turn it off.
Wikimedia project itself has horrible security (in this thread I
started some time ago -
http://www.gossamer-threads.com/lists/wiki/wikitech/277357?do=post_view_thr…
I was even told that wikimedia doesn't need good security at all,
because user accounts aren't so critical there), forcing SSL will not
improve it much
I think you need to check those facts. How many years do you have to go
back before the extra CPU needed for a client to decrypt an SSL connection
becomes noticeable on a client? Or how many browser versions before
support becomes imperfect? SSL support was introduced in Internet Explorer
version *Two*, in 1995.
SSL is about much more than just preventing account hijacking. It hides
details of what you're doing and what pages you're reading from people who
have no right or need to know. In some jurisdictions, the correlation
between the publicly-available content of a comment or edit, and the
snoopable identity of the person who made it, can be damning. The more
routine and commonplace SSL connections are, the safer the people who are
protected by it will be.
--HM