Why aren't top commerce sites using AOSSL?
December 13, 2012 3:33 PM   Subscribe

Question for the hard-core commerce and security geeks: Always-on SSL, or AOSSL. Last spring The Online Trust Alliance, or OTA, started a PR campaign to convince folks who manage web sites to use SSL to secure the entirety of their web sites — not just forms and checkout pages. OTA points out that some large social sites (Twitter, Facebook, Google) — folks for whom the customer is the product — have implemented AOSSL, or are in the process of doing so. Who I *don't* see coming on-board are large and highly trafficked e-commerce sites. By my survey, none of the top 100 eCommerce vendors (using Internet Retailer's list) have implemented AOSSL, and I'm wondering if there's a reason why... (more inside).

The benefits of using SSL to secure customer privacy and customer payment information at checkout are well-established; SSL is not merely a confidence-builder for the shopper (although it's that, too) but the foundation of a secure transport that safeguards customer data from those would steal it. Extending SSL is, in concept, simple enough: secure the *entire* web browsing experience by wrapping it in a safe, encrypted session. I might imagine some modest tax to page transport performance and a similar tax on server capacity… if that's the entirety of the cost, however, why wouldn't every larger retailer be adopting AOSSL? Am I missing something… ?
posted by deCadmus to Computers & Internet (8 answers total) 1 user marked this as a favorite
short answer - it places more of a load on the server. It's not really necessary when browsing catalog pages, say, where no personal information is being transmitted. FB is in a different position because every page transmits personal info.
posted by randomkeystrike at 3:35 PM on December 13, 2012 [2 favorites]

There is certainly a hardware cost - no small one, I expect, for really high-volume sites.

That said, based on my own experience, I suspect that plenty of people are well aware they should do it, have it in the long-term plans, and are just dealing with the fact that it's a pain in the ass. That's pretty much where we're at where I work. We'll get there in a month or three, but getting it right means combing over a lot of little details, particularly if you have, say, a lot of content laying around which includes hardcoded non-SSL paths to various resources. There's nothing especially hard about it; it's just time consuming and if no one is yelling at you about it right now, the incentives can appear to be lacking.

It's not really necessary when browsing catalog pages, say, where no personal information is being transmitted.

There is a pretty strong consensus at this point that SSL-all-the-time is the best practice, and quite a bit has been written on why. (The EFF might be a good starting point.)
posted by brennen at 3:52 PM on December 13, 2012 [1 favorite]

The reason e-commerce sites haven't moved to AOSSL is because they don't really have any incentive to do so. There would be costs involved in making the change (just for development and testing) and there is little evidence that these costs will result in sufficient additional profit to justify them. Most people are only dimly aware that there is such a thing as a secure site.

The approach Google is taking with SPDY is how it will happen. SPDY brings actual quantifiable benefits to the site owner (better responsiveness at the client end) and is always SSL. So, when enough browsers and servers support it, and sites can get better performance just by installing a cert, then they'll do that.
posted by kindall at 4:14 PM on December 13, 2012 [2 favorites]

Performance is part of the reason, as I understand it. Big eCommerce sites will tell you that there's a very strong relationship between pageload times and revenue. Here are some metrics on this from a quick Google search. Retailers have no interest in doing something that increases their costs (due to increased server loads) and decreases revenue (due to increases pageload times) when customers have no real demand for it.

Facebook, Twitter, and friends have invested a lot of effort into building responsive sites through asynchronous requests and other techniques, so they are better able to take the performance hit.
posted by zachlipton at 5:11 PM on December 13, 2012 [2 favorites]

It's a bit of a mix really:

1) There is limited public pressure to do this, from a real customer base perspective - aka people writing the business and asking them why.
2) This much SSL means your load balancers need to do dramatically more transactions per second on your load balancing tier. This costs you money in licensing.
3) It complicates troubleshooting, it also means that you have to track more certs and insure their deployment is solid...this is a real concern.
4) Even if it's not a transactions per second equations on your load balancer, if you're a top site you are offloading with gomez or akamai. This costs again more.
5) Your code may not support it, see all of the above, it's actually dramatically harder to do this on a large site.

There's nothing especially hard about it; it's just time consuming and if no one is yelling at you about it right now, the incentives can appear to be lacking.

This is wrong, there are plenty of reasons this isn't being done right now by everyone, I've outlined a few of them above.

I think it's a great idea to do, but there is a whole host of reasons why it's not being done now. At the end of the day the main reason is't not being done outside of the operational and technical concerns is that PCI-DSS hasn't compelled people to do it...yet. They will soon enough.
posted by iamabot at 5:15 PM on December 13, 2012 [2 favorites]

iamabot pretty much has it. I'd also add that implementing AOSSL is a risk, and risk costs money. Security is like insurance in that it's a cost you pay to avoid loss. Unlike insurance, you don't have actuarial tables to show you an anticipated ROI. So most companies don't proactively spend more than they have to on security.

Additionally, most of these retailers have some form of compensating control so you just can't steal a session cookie from the unencrypted session and start committing payment card fraud.
posted by bfranklin at 8:09 PM on December 13, 2012

Yeah, increased processing load. Which is a big deal - it affects how much hardware you have to field; and that means increases in not only your equipment budget, but a long, hard look at your datacenter facilities and how much extra heat it generates, and how many extra servers they need on hand. Places may need to build and staff entire new buildings as a result of moving to AOSSL.

That said, it's still a good idea and those who aren't seriously thinking about it need to start, or they'll be behind their competitors and open to liability as courts and regulatory agencies are taking a harder and harder line against outfits who play fast and loose with their users' security and privacy.
posted by Slap*Happy at 5:07 AM on December 14, 2012

brennan, I don't think we disagree; I was just giving the Reader's Digest version.
posted by randomkeystrike at 6:59 AM on December 14, 2012

« Older Looking for the name of an old-school, plaintext...   |   Do they manufacture Super-Wood ? Newer »
This thread is closed to new comments.