One of the traditional obstacles to using SSL to protect Web sites is the extra processing demand and its associated costs, says John Pironti, president of IP Architects, a security consulting firm, and the security track chairman for Interop. "The infrastructure costs to enable SSL can be challenging," he says, depending on the size and complexity of the deployment.
As processors get more powerful and less expensive per cycle, cost isn't as much of an issue, he says, if the SSL is designed into the infrastructure at the start. "It's less costly than adding it on later," he says.
There are barriers to implementing SSL on sites other than the hardware costs and performance, says PayPal CISO Michael Barrett. All of PayPal's site content is SSL-protected, and getting there involved more than just processing. "It can cause quite a bit of pain from an application perspective," he says.
For instance, if an application assumes it always operates under unsecured HTTP, it will try to redirect browsers to HTTP. In order to fix the problem, businesses may have to recode the offending applications, he says. That can lead to inefficiencies if HTTP requests are made, and the site reroutes them rerouted to make them HTTPS (SSL/TLS), requiring more round trip communications that introduce delay.
The PayPal site uses the proposed Internet standard HTTP Strict Transport Security (STS), which declares to browsers that Web servers are to be interacted with via HTTPS. The browser remembers so the next time a request is sent to the same URL -- even if it's typed in as HTTP -- it will be sent as HTTPS. So far versions of Firefox and Google Chrome browsers support HTTP STS, and it can be deployed without a negative impact on end users whose browsers don't support it.
Another barrier to SSL is the need to enlist a certificate authority to handle encryption key authentication and to manage the certificates, Barrett says.
Sign up for Computerworld eNewsletters.