Comment by Udayaditya Singh on "If HTTPS is more secure than HTTP, why don't all websites use HTTPS?"

1.The real problem, is that with HTTPS you lose the ability to cache.

2.small performance hit when using HTTPS, since "the SSL initial key exchange adds to the latency."

3.For sites that don't have any reason to encrypt anything—in other words, you never log in, so there's nothing to protect—the overhead and loss of caching that comes with HTTPS just doesn't make sense. However, for big sites like Facebook, Google Apps, or Twitter, many users might be willing to take the slight performance hit in exchange for a more secure connection. And the fact that more and more websites are adding support of HTTPS shows that users do value security over speed, so long as the speed difference is minimal.Although servers are faster and implementations of SSL more optimized, it still costs more than doing plain http

4.Perhaps the main reason most of us are not using HTTPS to serve our websites is simply that it doesn't work with virtual hosts. Virtual hosts, which are what the most common cheap Web hosting providers offer, allow the Web host to serve multiple websites from the same physical server—hundreds of websites all with the same IP address. That works just fine with regular HTTP connections, but it doesn't work at all with HTTPS.

There is a way to make virtual hosting and HTTPS work together—the TLS Extensions protocol—but it's only partially implemented. Of course that's not an issue for big sites, which often have entire server farms behind them. But until that spec—or something similar—is widely used, HTTPS isn't going to work for small, virtually hosted websites.

5.There is no real reason the whole Web couldn't use HTTPS. There are practical reasons why it isn't happening today, but eventually the practical hurdles will fall away. Broadband speeds will improve, making caching less of a concern, and improved servers will be further optimized for secure connections.

What do you mean, lose ability to cache? You cache payload, don't matter whether encrypted or not. FUD. HTTPS is as cacheable as HTTP. CDNs cache all the way. All types of gateways and services.
httpvshttps.com . This should be enough, again FUD, since you can optimize TLS roundtrips up to 3 (with TLS 1.3, you can even send the request payload on the first packet).
Internet Identity is more than logging in. Your IP is tracked. Your cookies are tracked. Your content is modified. Your content is associated with the IP. Profiles are established.
You can offload SSL termination to your provider's gateway, so you don't have to handle it yourself. What options does the cheap web hosting provide, how much setup does that involve, how much (if any) the certificate costs, those are all different questions.
Yes there is. PRISM. Protocol Upgrades (the only reason why browsers only support HTTP/2 over TLS). If the first might sound paranoid to you, the second should present a business case, which can mean saves in server provisioning.

I mean, in 2017, with all the different options regarding proxy/web server configurations and access to free certificates and wildly better performance and resource utilization when using TLS, specially on top of HTTP/2, I'm not sure what can still be held against it.

Search Hashnode