Hacker News new | ask | show | jobs
by brians 3808 days ago
Nope. The symmetric crypto is basically free. The asymmetric crypto is cheap.

IPv4 addresses cost. Most big sites can't quite go SNI-only yet. Soon!

Customer support costs. Why would TLS involve more customer support? Because it's a technology designed only to break connections. Ideally that's only the adversarial connections---but much like the TSA, a mis-designed authentication scheme can cause great stress and drama.

I do think the world will be all-TLS before too long; the parts that aren't will probably not be HTTP over TCP (e.g., content addressable networking).
1 comments
hobarrera 3808 days ago
> IPv4 addresses cost. Most big sites can't quite go SNI-only yet. Soon!

Why can't they go SNI? It's not like IE6 or netscape are relevant any more, is there some other issue?

link
dangrossman 3808 days ago
No SNI on Windows XP (IE6, IE7, IE8, Safari), nor Android 2.3 Browser, nor BlackBerry. Windows XP still has 4-5% usage share on the web, which is 1 in 20 people. Lots and lots of low-end and older Android handsets were on 2.3 because 4.0 had new hardware requirements. Combined, it's a relevant number of people for large sites.
link
detaro 3808 days ago
And highly dependent on the region and demographics of the visitors, so the numbers can be way higher (or way lower if you are lucky).
link
vacri 3808 days ago
> Windows XP still has 4-5% usage share on the web, which is 1 in 20 people.

Chrome and FF together have a market share of about 70%, so roughly speaking, only 30% of those XP users can be expected to still be using IE or safari. The percentage might be a touch higher as users left on XP might be less likely to use a different browser, but it's certainly not like all of today's XP users are on IE + Safari.

link
kardos 3808 days ago
> nor BlackBerry

Maybe not for the old blackberries, but SNI works on BB10.

link
Ded7xSEoPKYNsDd 3808 days ago
You know how Mozilla recently had to delay the SHA1 deprecation in Firefox because it broke people behind shitty MITM "security" solutions? That crap often doesn't support any "modern" TLS features like SNI either.

See for example here: https://palant.de/2014/05/27/proxies-breaking-up-ssl-connect...

link
brians 3808 days ago
Windows XP. Python through about 2.6. Java until quite recently. Old Perl code that I shudder to think about.

<shudder>

Oh, and some old Android. The Android version that started supporting SNI is apparently also the version that tightened up licensing, so a number of third-world forks still use the old version. And as long as most of the web works without SNI, they don't have a huge incentive to change that.

The work that some browser vendors (Mozilla, Google) are doing to privilege imperfect-TLS over no-TLS is crucial here. Also, yes: new Web work should all be done over HTTPS.

link
dgoldstein0 3808 days ago
some pretty modern languages / libraries don't have SNI built in. E.g. requests under python 2.7 doesn't do it by default. As for browsers, I think the answer is that most do - it ends up being something like IE on XP and really old Android that gives you trouble.
link
dale-cooper 3808 days ago
Chromecast for example does not support SNI, which is crazy.
link