Why are plain text protocols still in use?
Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Why are plain text protocols still in use?

  1. #1

    Why are plain text protocols still in use?

    Why are we still using http:// instead of SSL enabled servers?

    I keep thinking about this. We have all kinds of secure, robust, encrypted protocols and tools, and plain text protocols are still the standard. We have sftp, scp, SSH, SSL, etc. While FTP, HTTP, Plain text emails, etc are still standard protocols. It doesn't make any sense!

    And why is Unix, Linux still shipping rtools and such?

    I long for the day when there is ONLY secure, encrypted protocols in use! I use only these tools myself (although, I dont have a choice when it comes to having to utilize other servers that use http and ftp), but the fact that plain text protocols are even still in use baffles me!!! It's not like we DONT have secure, encrypted tools available!

    Everyday, we hear about new vulnerabilities, new attack tools, password sniffers, etc, etc. And granted, 100% encrypted protocols isn't the entire answer, but it would go a hell of a long way toward a more secure internet.

  2. #2
    What if your administrator doesn't want your traffic encrypted? You'd have trouble with IDS in some cases...

    But yes, encryption is good.

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Encryption requires far more overhead than plaintext. It may seem simple given the context of a server that services only a few thousand requests a day, but when operating a network that services several million, the situation is not so simple. The use of encryption the requires several more servers, key servers, certificates, certificate revocation contingency plans, certificate authourities, more time configuring services, and the risk of increased downtime. Not to mention the fact that it requires universal acceptance of encryption algorithms, which is again, not as simple as it seems. All said, it is simply too resource intensive where not required. You could, for example, learn ancient Latin, and commuinicate with your friends exclusively with it, which would require you to first learn the language. Do you send all your email encrypted? Probably not, for two reasons: 1) It is too time consuming to encrypt all those "Hello, just saying hello" emails, and 2) The person with whom you are communicating does not have the capability to decrypt it.

    There are simply a lot more things that can go wrong when using ecrypted protocols. My root filesystem is not encrypted simply because of the danger of losing the decryption key, which would mean the loss of everything on the hard drive. Instead, I encrypt only the more sensitive iformation, like banking records, and swap and temporary space. This way I do not lose everything if I suffer the loss of the decryption key.

    But as far as an IDS not being able to read the encrypted content, surely there must be a way to share the decryption key with the IDS?
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  4. #4
    Junior Member
    Join Date
    Jun 2005
    Posts
    20
    Cost is an issue, also. The certificates needed to create an HTTPS session can cost almost a grand.

  5. #5
    There are times when encryption is necessary, and there are times when it is not. Why go through the extra effort, cost, and overhead to encrypt and secure bullshit. Why would TheRegister for example, encrypt their site? It's like wiping before you poop, it don't make sense.

    Encryption has it's place, but it's not every place. (Although... I do support changing over router administration from telnet to ssh or something similar.)

  6. #6
    Junior Member
    Join Date
    May 2005
    Posts
    5
    Originally posted here by reedarvin
    Cost is an issue, also. The certificates needed to create an HTTPS session can cost almost a grand.
    Anyone can create a certificate for free. The cost arises from getting someone to say, "Yeah, this certificate can be trusted."

  7. #7
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,024
    Most browsers automatically block all untrusted certificates by default though, so that kind of screws that mindset a bit.
    [H]ard|OCP <--Best hardware/gaming news out there--|
    pwned.nl <--Gamers will love this one --|
    Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    There are advantages to using unencrypted protocols:

    - Performance - no need to encrypt / decrypt. Compression works better. And a significant advantage is the fact that SSL handshakes add quite a bit of latency.
    - Intrusion detection - objectionable requests can be identified by specialised software / hardware at the network layer
    - Content filtering - Most large companies now have content filtering on their email, and a signficiant proportion do on HTTP traffic too. This is of course mostly to stop spam and malware, but it could also be done to protect confidentiality. Encrypted messages break this
    - Caching - encrypted content must be sent directly from its source to its destination, simply being forwarded, whereas unencrypted content can be cached en-route, thus reducing bandwidth consumption (most large ISPs do this)

    Slarty

  9. #9
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Anyone can create a certificate for free. The cost arises from getting someone to say, "Yeah, this certificate can be trusted."
    You can create a certificate and "sign" it. Its just a matter to add to the "client" (e.g. a browser) the necessary info to allow the client to trust on your C.A. We use to use "internal certificates" on MF encription (telnet) to avoid $$$. Or on "intranets". Why use a "public" CA if only internal computers will access that resource?
    Backing on topic, Encription is cost x benefit: you dont protect what worth nothing. So why encript all? Its a nonsense.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  10. #10
    Junior Member
    Join Date
    May 2005
    Posts
    5
    Thanks for correcting me Cacosapo.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •