For the past year, the SPDY team has been advocating that SPDY only work over SSL. Many pundits have asked why, citing that this is not in the best interest of performance. Of course, that is true – security is not free. But what if we can make it almost free?
SPDY aims to give you the full security and privacy of SSL without the latency of SSL. When you combine the improvements inherent in SPDY with an improved SSL, we believe we have a new protocol which is both significantly faster than HTTP, and yet also fully encrypted, private, and secure. Sure, we could make SPDY without SSL. But that would be unsecure. And is there any good argument for a protocol of the future that doesn’t embed security natively?
So, if you weren’t convinced before, you should be convinced today. This weekend, Firesheep was unleashed. It’s an extension for Firefox which leverages HTTP’s lack of security to allow any user to take over most of your social networking accounts – Facebook, Twitter, etc. Of course, Firesheep isn’t doing anything that couldn’t be done yesterday – it’s just making it available to anyone.
As we move forward, all data communication needs to be secured and private. It’s the only way.