Why are plain text protocols still in use?

[Dr. Psy]

Why are we still using http:// instead of SSL enabled servers?

I keep thinking about this. We have all kinds of secure, robust, encrypted protocols and tools, and plain text protocols are still the standard. We have sftp, scp, SSH, SSL, etc. While FTP, HTTP, Plain text emails, etc are still standard protocols. It doesn't make any sense!

And why is Unix, Linux still shipping rtools and such?

I long for the day when there is ONLY secure, encrypted protocols in use! I use only these tools myself (although, I dont have a choice when it comes to having to utilize other servers that use http and ftp), but the fact that plain text protocols are even still in use baffles me!!! It's not like we DONT have secure, encrypted tools available!

Everyday, we hear about new vulnerabilities, new attack tools, password sniffers, etc, etc. And granted, 100% encrypted protocols isn't the entire answer, but it would go a hell of a long way toward a more secure internet.

[Soda_Popinsky]

What if your administrator doesn't want your traffic encrypted? You'd have trouble with IDS in some cases...

But yes, encryption is good.

[Striek]

Encryption requires far more overhead than plaintext. It may seem simple given the context of a server that services only a few thousand requests a day, but when operating a network that services several million, the situation is not so simple. The use of encryption the requires several more servers, key servers, certificates, certificate revocation contingency plans, certificate authourities, more time configuring services, and the risk of increased downtime. Not to mention the fact that it requires universal acceptance of encryption algorithms, which is again, not as simple as it seems. All said, it is simply too resource intensive where not required. You could, for example, learn ancient Latin, and commuinicate with your friends exclusively with it, which would require you to first learn the language. Do you send all your email encrypted? Probably not, for two reasons: 1) It is too time consuming to encrypt all those "Hello, just saying hello" emails, and 2) The person with whom you are communicating does not have the capability to decrypt it.

There are simply a lot more things that can go wrong when using ecrypted protocols. My root filesystem is not encrypted simply because of the danger of losing the decryption key, which would mean the loss of everything on the hard drive. Instead, I encrypt only the more sensitive iformation, like banking records, and swap and temporary space. This way I do not lose everything if I suffer the loss of the decryption key.

But as far as an IDS not being able to read the encrypted content, surely there must be a way to share the decryption key with the IDS?

[reedarvin]

Cost is an issue, also. The certificates needed to create an HTTPS session can cost almost a grand.

[d0ppy]

There are times when encryption is necessary, and there are times when it is not. Why go through the extra effort, cost, and overhead to encrypt and secure bullshit. Why would TheRegister for example, encrypt their site? It's like wiping before you poop, it don't make sense.

Encryption has it's place, but it's not every place. (Although... I do support changing over router administration from telnet to ssh or something similar.)

[PeasleeR]

Originally posted here by reedarvin
Cost is an issue, also. The certificates needed to create an HTTPS session can cost almost a grand.

Anyone can create a certificate for free. The cost arises from getting someone to say, "Yeah, this certificate can be trusted."

[The Grunt]

Most browsers automatically block all untrusted certificates by default though, so that kind of screws that mindset a bit.

[slarty]

There are advantages to using unencrypted protocols:

- Performance - no need to encrypt / decrypt. Compression works better. And a significant advantage is the fact that SSL handshakes add quite a bit of latency.
- Intrusion detection - objectionable requests can be identified by specialised software / hardware at the network layer
- Content filtering - Most large companies now have content filtering on their email, and a signficiant proportion do on HTTP traffic too. This is of course mostly to stop spam and malware, but it could also be done to protect confidentiality. Encrypted messages break this
- Caching - encrypted content must be sent directly from its source to its destination, simply being forwarded, whereas unencrypted content can be cached en-route, thus reducing bandwidth consumption (most large ISPs do this)

Slarty

[cacosapo]

Anyone can create a certificate for free. The cost arises from getting someone to say, "Yeah, this certificate can be trusted."

You can create a certificate and "sign" it. Its just a matter to add to the "client" (e.g. a browser) the necessary info to allow the client to trust on your C.A. We use to use "internal certificates" on MF encription (telnet) to avoid $$$. Or on "intranets". Why use a "public" CA if only internal computers will access that resource?
Backing on topic, Encription is cost x benefit: you dont protect what worth nothing. So why encript all? Its a nonsense.

[PeasleeR]

Thanks for correcting me Cacosapo.