Do we need to make SSL free to boost Internet security?

SSL is getting a lot of attention this year. First we experienced (and still are) Heartbleed. Then Google got serious, announcing a forced deprecation of SHA-1 signed certificates on an aggressive schedule. That was on the heels of an announcement offering a potential/future preference in ranking for SSL protected sites.

During a recent Down the Rabbithole Security Newscast, we explored the potential impact of requiring SSL on smaller sites. James Jardine (@JardineSoftware) pointed out that smaller, less technical shops face the hurdles of additional expense and experience to implement even a basic SSL certificate.

Then James made a bold suggestion:

"Smart hosting companies should just include the SSL certificate as part of the service. It shouldn't increase the host costs by much, if any, since it sets them apart from those who don't offer 'free SSL.' For us, maybe it's a chance to shut down reliance on port 80."

Security as a differentiator?

Evidenced during our discussion about Google's decision to force the deprecation of SHA-1 signed certificates, sometimes the private sector moves to improve security without the need for complicated regulations and government intervention.

It boils down to considering the economics of different approaches to find the solutions that make a positive difference.

Again, Google serves as an example. A few years ago a number of security folks called on Google to make SSL the default. While a great idea, the early concern was the potential performance impact and resulting cost. Except Google tested it and reported the impact was negligible.

Now SSL is default for Google services.

Does giving SSL certificates away to Internet-hosted websites mean more security? And does it make security a true differentiator (at least in the short run)?

Seems James was right!

Not long after the discussion, Cloudflare announced plans to turn on SSL by default for anyone using their service.

Cloudflare is the first step. Here's why this works for Certificate Authorities and hosting providers alike:

• Basic certifications are low cost ($15/year or less retail — with appropriate markup and revenue splits); including the certs should drive the real costs to pennies per month
• The installation process can be automated, further reducing complexity and cost
• The impact to the servers and services is negligible (as demonstrated by Google)

We've always wanted security to serve as a differentiator. Maybe this is a way to do it. The cost of basic SSL certs is easily automated and low cost. That means it's either easy to absorb in the cost of operations — especially if the scale increases. Or it means a slight overall increase that benefits everyone, for a lower price than any individual would be asked to pay.

The only potential snag — for some hosting providers — is whether they rely on unique IP addresses for their SSL certs. If they do, they may need to evaluate the time and effort of redesigning their solution to support Server Name Indication (SNI).

Don't worry – this works for providers and vendors

More than the economics of scale, the real key is the inclusion and ease of use. At the base level, this makes it easy for Mom and Pop shops — and nearly everyone — to use SSL without needing to understand how it works under the hood.

James also points out the potential opportunity this creates to engage and educate people:

"In conjunction with incorporating SSL for little to no additional cost, we have an opportunity — maybe an obligation — to work with organizations and website owners to explain the benefit of SSL in a way they can understand. This matters even if they aren’t collecting financial or other information.

For example, by finding an effective way to explain MITM, we can demonstrate how using SSL makes it harder for the attackers. Harder to intercept unencrypted traffic. Harder to insert malicious code in responses — in an attempt to infect the visitors of the site.

The coupling of education with free SSL has the potential to make a dent in the work of attackers."

This approach has upsides for vendors and providers, too. Deeper in the Cloudflare announcement is the option for their pro service. Coupling basic SSL with education is an opportunity to demonstrate the benefits of extended value (EV) certificates and other services.

Does SSL as the default make a difference?

If others build on the effort of CloudFlare (and James), SSL is the baseline. An improvement driven by the providers of the private sector and businesses that rely on them to explore different ways to get what they want.

Is this a step in the right direction?