October 26, 2009 at 10:41 am
Comments posted to this topic are about the item Low Hanging Fruit
October 26, 2009 at 4:10 pm
I think that making security features (such as the encrypted client connection) default to ON would be smart for engines like SQL Server. Security practices often seem to come as an afterthought instead of being built-in to the policies or features.
But the tradeoff is always usability. I'm still learning, but I can't think of any reason why local client connections or even authenticated remote connections shouldn't default to an encrypted connection. It would save some time and act as a deterrent to security breaches if features like this were implemented as the standard instead of an option.
Good thoughts, Steve.:-)
October 26, 2009 at 10:19 pm
Yes, it should be the default.
In hosted Google Apps, there is an option for domain administrators to force HTTPS (http://www.google.com/support/a/bin/answer.py?hl=en&answer=100181)
In regular gmail, users have to set it to require secure connections.
October 27, 2009 at 4:57 am
Google doesn't use HTTPS by default because, like most SAAS providers, they pay for their pipes, the equipment that their traffic runs on, and connections to the Internet (at least the parts they don't own). The security layer would add a great deal of new traffic to their communications in the form of encryption-related data; however, much of that traffic doesn't warrant such a high-level of security. How much e-mail do you get that actually needs encryption?
This is a price-performance-value question, and to extend your argument, it should be applied to all administrative and coding activity. In Google's case, they wisely chose not to encrypt the traffic in Google Apps by default because over 80% of it is "bacon" and spam where securing the traffic would add little value but cost a great deal. HTTPS is not specific enough. Your point is sound: that security should be a consideration every computing professional takes into account; however, there are situations where a scalpel is a better tool than a meat cleaver.
October 28, 2009 at 9:09 pm
I've wondered why this isn't standard behavior for all web apps. Like you said, there is overhead, but it should be considered a cost of doing business. For Google apps, it's surprising that they haven't taken this step already, since their target appears to be the business community rather than just consumer-level services.
Tim Mitchell, Microsoft Data Platform MVP
Data Warehouse and ETL Consultant
TimMitchell.net | @Tim_Mitchell | Tyleris.com
ETL Best Practices
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply