Blog

HTTPS, SSL, TLS & The Cost of Compromise

December 23rd, 2013 by admin

tl;dr

Ignorance isn't bliss, if you don't know how to use the Internet you should be schooled.

Recently, perhaps in the wake of illegal NSA spying revelations, many of our customers have began to expect SSL encryption on their websites. Unless they are transmitting sensitive information (such as credit card or login information) there is generally no need for this. We have discovered a rising trend of people manually entering the HTTPS protocol specifier onto sites without warrant; I intend to disabuse this practice.

There are two primary concerns here: the first being that intentionally specifying a protocol with an expectation indicates a fundamental lack of understanding of how such mechanisms operate, or even why they are necessary. This is not trivial; many aspects of our daily lives, from privacy to large amounts of commerce, are only possible in their current form because of this technology. Issues concerning cyber security and privacy are set before our electorate with increasing frequency.

In a democracy (or democratically elected representative republic), we the people hold the power to rule. Like all rulers, we must exercise wisdom and justice.

If we willfully choose ignorance, intentionally being uninformed, we give up the fruit of the tree of democracy: our freedom.

As technology becomes more prevalent in our lives, it becomes increasingly imperative that we understand how to operate and navigate the technology we entrust our social and financial futures to. Among many others, it is the responsibility of the purveyors of change, the salespeople and marketers that bring about the new society, to educate their clients, in order to be worthy of the trust their clients place in them.

To that objective I encourage the many of my clients, who are themselves dealers in data and networking technology, to not only become masters of their fields through education, but also to take it upon themselves to in turn educate their customers, fulfilling their duty as salespersons and thought leaders.

The second concern is lesser in scope, yet still critical: market competitiveness. Not only is encrypting non-sensitive data unnecessary, but it also has a non-zero cost: extra computing resources and human labor overhead, on both our part and our clients. In order to provide a clean and simple interface, and to keep costs down, we (Atomic8Ball) have only provided SSL where it is actually needed (when sensitive information is present). However, to optimize our customer's experience with us and to meet their expectations, we're now reconsidering that position.

In doing so, we are in a way admitting defeat to ignorance, obviating the need for education and the opportunity to do so. In the quest to "just make it work" we're ceding territory that we may later, as a society, regret.

Posted in: business philosophy, random thoughts,