On 30 April 2013 18:27, Petr Bena benapetr@gmail.com wrote:
SSL is requiring more CPU, both on server and client and disable all kinds of cache (such as squid or varnish), and some browsers may have problems with it OR in some countries encryption may be even illegal.
Whatever you are going to do, you should let people turn it off. Wikimedia project itself has horrible security (in this thread I started some time ago -
http://www.gossamer-threads.com/lists/wiki/wikitech/277357?do=post_view_thre... I was even told that wikimedia doesn't need good security at all, because user accounts aren't so critical there), forcing SSL will not improve it much
I think you need to check those facts. How many years do you have to go back before the extra CPU needed for a client to decrypt an SSL connection becomes noticeable on a client? Or how many browser versions before support becomes imperfect? SSL support was introduced in Internet Explorer version *Two*, in 1995.
SSL is about much more than just preventing account hijacking. It hides details of what you're doing and what pages you're reading from people who have no right or need to know. In some jurisdictions, the correlation between the publicly-available content of a comment or edit, and the snoopable identity of the person who made it, can be damning. The more routine and commonplace SSL connections are, the safer the people who are protected by it will be.
--HM