[Full-disclosure] The Cookie Tools v0.3 -- first public release

[Andrew Farmer]

On 10 Dec 07, at 05:45, michele dallachiesa wrote:
> why HTTPS is not the default in this type of services? this is a big
> silent hole. maybe, today is less silent :)

The short version is "because hosting things with SSL is still hard".

There's a few things which are significantly holding back the move to  
SSL web servers. They include:

* Every domain hosted with SSL must have a dedicated IP address. This  
basically rules out any form of shared hosting.

* SSL certificates don't come cheap. $50 seems like the low end right  
now, and the really big names (like Verisign or Thawte) charge several  
times that.

* Many common load-balancing products only work with unencrypted HTTP.  
Furthermore, SSL places a much higher load on the server.

Some of these things are set to change - for example, SNI is set to  
fix the first one. However, it's only just becoming available; it'll  
be a while before it can be relied on in production systems.