Why aren't we all using SFTP, HTTPS, SSH et al?

Were you to decide, what would you choose?

  • FTP or SFTP?
  • Plain e-mail or signed encrypted mail?
  • e-mail over an unsecured connection or using TLS encryption?
  • BitTorrent unencrypted or encrypted connections?
  • use your default e-mule port number or change it?
  • http or https?
  • telnet or SSH?
  • automatic log-in or having to enter your user name and password for accessing your own computer?

When faced with choosing one or another technology, and unless there are bigger restrictions, we instinctively try to opt for the easiest one, in all terms (time/money/learning curve). Secure/private options tend to require more time for setting up and configuring, testing and learning. Sometimes the difference between unencrypted and encrypted can even be noticed, as in computer resources required for encrypting, which makes us label the encrypted version as "slower".

For example, an FTP connection is usually faster than an SFTP one. I understand that's due to the way SFTP works (opening an SSH connection each time a file is due to be transferred and then sending the contents, instead of reusing the same connection like FTP does). Therefore, a normal user which is forced by their hosting provider to use SFTP simply deduces that SFTP is slower and misses old good FTP-based hosting.

Another example, getting your e-mail via an encrypted connection (TLS) shouldn't be noticeably slower than via an unencrypted plain one. Unfortunately, some ISPs decided it was a good idea to systematically throttle the speed of anything which is not HTTP traffic and other most common protocols, and hence using TLS is painfully slow, even timing out and forcing people to use unencrypted connections, for the sake of simplicity and being able to get the job done.

Now, were the secure methods easier to use, I'm pretty sure they would be the default option, not an extra could-be-nice-to-have-but-it's-fine-if-missing feature. If SFTP was the default set up in shared hosting, you wouldn't stop for a minute and wonder: "hold on -- is my data valuable enough so that I do not want someone else to have a peek at it while I'm uploading to my web server? Should I spend X hours trying to enable SFTP instead of uploading my stuff right now?". And the same principle applies to the rest of technologies.

Taking into account the current state of affairs in what regards to subjects such as the war on terror (or how to think of a reason for criminalising every citizen before they are even born) or Phorm (or how several British ISP's, including BT, are trying to suck still more money from their subscribers by data mining their traffic and serving contextual ads for their profit, using technology developed by a company with spyware background) and all that, it sounds to me like a very good idea to begin switching to the safer alternatives. In fact, it seems that it is the most sensible thing to do.