[whatwg] fixing the authentication problem

Aaron Swartz me at aaronsw.com
Tue Oct 21 07:48:17 PDT 2008


>> Some major web services redirect the user to an SSL server for
>> the login transaction, but SSL is too expensive for the vast majority
>> of services.
> The issue is not SSL being expensive: the only expensive part is

There are three costs to SSL:

1. Purchasing a signed cert.
2. Configuring the web server.
3. The CPU time necessary to do the encryption.

1 could be fixed by less paranoid UAs, 2 could be fixed with better
software and SNI, and 3 could be fixed by better hardware. But,
realistically, I don't see any of these things happening.

> What's the actual difference between this and https? Both mechanisms
> are using public-key encryption to protect the communications; the

The difference is that this would work practically. Server authors
typically can't configure, but they typically can install an
encryption library. Support will get built into web applications and
web application frameworks (disclosure: I'm the author of a web
application framework) and the Web will be more secure.



More information about the whatwg mailing list