Hacker News new | past | comments | ask | show | jobs | submit login

I think 80% of web sites will be labelled as red-unsafe.

SSL layer security is good but sometimes a certificate is expensive and not free. Suppose that you have 10 domains and not all of them are for SNS, banks and etc..

At what minimum cost will you purchase a HTTPS certificate?




nada.

http://letsencrypt.org/


Most shared hosting accounts charge extra for a dedicated IP address, both for setup and on a monthly basis. Don't underestimate how many blogs, churches, small businesses, etc still use services like that.

To be fair, many of those sites probably ARE insecure, but it seems to be a little bit overkill to "shame" them for not implementing encryption.


You only need a dedicated IP address for clients that don't support SNI. If your hosting model supports it, you can also still support these clients with a single IP address with a SAN cert that includes all of the possible hostnames.


SSL hasn't required a separate IP since Windows XP. And XP no longer has any security support, so anyone running it has bigger problems.


Guess you're right, fair enough. I still don't agree with putting a scarlet letter on these types of sites though.


Nothing short of that will get HTTPS adoption to approach 100%. Many people have commented that it seems odd to complain about broken HTTPS but not about HTTP; I agree with that. As long as browsers show unencrypted HTTP as "neutral" rather than "bad", far too many sites simply won't care. This has been a long and gradual step, but it needs to happen for HTTP to finally go away.


HTTPS is rather more secure than what HTTP is. Because it creates a relative secure tunnel between the client and host. But HTTPS does not mean 100% secure, it's easy to be hacked by MITM or traffic been spied.

I think that getting rid of HTTP should not be shamed in that way. But google is planning on doing this thing.

Just as someone said, MITM attackers can switch google ads to others, and I think this is the reason why Google wants to shame those sites who use Google Ads and not use HTTPS. Google can make an increasing revenue by this act.

And yet HTTP2 is out, will google shame those sites who only support HTTP1.0/HTTP1.1 ? I don't think so. Because this has almost nothing to do with revenue for Google.


> But HTTPS does not mean 100% secure, it's easy to be hacked by MITM or traffic been spied.

I don't know what properties you think HTTPS lacks here, but no, HTTPS doesn't allow "easy" MITM or eavesdropping. If you want to break HTTPS, you either need to compromise an endpoint, or pressure an accepted certificate authority to risk destroying their entire business by issuing a fraudulent certificate.


I have shared hosting at Dreamhost. Installing Let's Encrypt certs was a two click procedure. I guess more hosting companies will follow.


This looks cool. It seems dreamhost did a good job.


nginx + TLS, and TLS is many-certs-same-IP friendly from the start.

SSL is insecure already anyway.


letencrypt is in beta testing for now. And they did not claim whether they were going to make this service free forever.

I tried letencrypt, and it works like a charm. But the sad thing is that it needs you to update every 3 months at least for now. And they may have auto-updating script for this, but it is not supported well. Currently the scripts only work for Apache HTTP servers, rather Nginx ones (will work in the future) . I update certificates every 2 months by hands...




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: