Progressive Web Application Development by Example

上QQ阅读APP看书，第一时间看更新

No longer cost-prohibitive

Since the beginning of SSL, certificates have come with a cost. Typically, this was an annual cost. In the past (around 15 years ago), certificates typically cost between $100 and $500 a year. You can think about it like an annual business license. In fact, to complete a certificate request, you often needed a proof of business or organization. The issuing process was also time-prohibitive. It often took 3–14 days to get a certificate. The issuing authority had a staff that evaluated every certificate request and the accompanying paperwork. A very archaic process for a digital platform.

While enterprises do not blink at a $100-a-year fee for their web site, the average small business does. There are thousands of small businesses for every enterprise. As well as traditional small businesses, there are millions of businesses, blogs, forums, and other entities that make little to no revenue from their site. They can barely justify their hosting overhead. HTTPS is just not viable at those rates.

Another cost you might not think about is IP addresses. In the beginning, SSL required a dedicated IP address. Despite millions of possible IP addresses, there were not enough, not even close. The limited supply of IP addresses also raised the price of HTTPS. This could have added another $100 or more a year to the cost of hosting a site. Today, this has changed. Now a certificate maps to a domain. This eliminates this tax.

Today, HTTPS requirements and costs have all relaxed. There are many low-cost certificate providers. In fact, you can obtain a certificate for free from Amazon or Let's Encrypt (https://letsencrypt.org). The latest stats Let's Encrypt shares are over 50 million certificates issued.

Up to this point, I have referred to SSL, but that name is not exactly correct anymore. Transport Layer Security (TLS) is the proper term used today. The security protocol continues to evolve over time. SSL was originally created by Netscape, which is now owned by AOL.

To avoid potential legal issues, TLS was first drafted in 1999 in RFC 2246 (see https://tools.ietf.org/html/rfc2246). The primary intent behind the name change was to separate the encryption protocol from Netscape and make it more open and free.

SSL and TLS are interchangeable in general conversation as most people will understand what you mean.

Which protocol version you implement is limited by your server platform. Because TLS 1.2 is very well established at this point, it is difficult to find a server platform or browser that does not support version 1.2. But Qualys has some advice:

"There are five protocols in the SSL/TLS family, but not all of them are secure. The best practice is to use TLS v1.0 as your main protocol (making sure the BEAST attack is mitigated in configuration) and TLS v1.1 and v1.2 if they are supported by your server platform. That way, the clients that support newer protocols will select them, and those that don't will fall back to TLS v1.0. You must not use SSL v2.0, because it is insecure."

Fortunately, when you create a TLS certificate, the protocol version is handled for you. Later in this chapter, I will go through the steps to create a certificate in AWS and Let's Encrypt, both free services.

本周热推：

数字调制解调技术的MATLAB与FPGA实现：Altera/Verilog版（第2版）光纤通信系统与网络（修订版）5G波形设计华为LiteOS：快速上手物联网应用开发 Cisco无线局域网配置基础