Elinor Mills' CNET's post titled Google making SSL changes, other sites quiet
is interesting not just because it's about session cookies at some sites being vulnerable to MITM attacks, but also because it brings up a topic I've been talking about for years: Using SSL for all connections, not just for login. (See here
, and here
, among others)
She quotes Mike Perry
"Just about everyone but Google simply does not want to spend the money to invest in the security of their users, and will continue to ignore this issue, just as they have for the past year," Perry wrote in an e-mail.
Mike is being generous. Companies have been ignoring this class of issue for the past decade. In 2008 web sites that deal in money or personal information (like email) need to secure 100% of all connections, 100% of the time. It is not enough to secure just the login pages.
And as for cost? It's not really about buying new machines anymore. (See my posts, linked above) SSL has been more than fast enough for years. It's really just a matter of inertia.