this might be interesting reading for anyone wondering about https (ssl/tls) overhead / speed: http://www.cs.ucr.edu/~bhuyan/papers/ssl.pdf
>> In brief: >> >> - Does the cookie contain sensitive/private information? → set/get the >> cookie using ssl that depends on the web site. >> >> - Does the cookie contain standard/publicly available information → no >> need to be encrypted >> generally not - the point of a cookie is to retain information about you between the client and the server. here, this should give you some general information. but unless you've worked with this stuff, you're not going to really grasp the full implication of 'name' and 'value' and what not: http://www.cookiecentral.com/faq/#3.3 there's also the wikipedia run down (look at the 'see also' section - it's got some pretty good stuff): http://en.wikipedia.org/wiki/HTTP_cookie if you want to know what can be in a cookie, look at things like httpfox (there's a more popular ff extension that has some of the same features as well that i can't think of too). >> What I fear, most than "unencrypted" browsing, is e-mail/ftp logins using >> clear text passwords. >> email is not secure. it never was. don't send unencrypted sensitive information over email. than again, if you use a big enough email service (gmail, yahoo, etc) and have nothing to hide from your government (i'm in the us, so here that would include fbi, cia, dhs, dos) i don't think too many people are going to filter through l3 and verizon's data for your message.per ftp, use scp (ftp+ssh, sftp). fact of the matter is, unless you have information that others might profit by, or unless you're popular enough that someone might care enough to defame you, or you don't put yourself out there to be a target, you probably don't have much to worry about. point is, i can walk around my building and capture enough encrypted wifi packets to then go back home, and run aircrack on them all and have fun with everyone (as i'm sure they all surf the web with http and could be exploited in many other ways as well). i don't because, well, why? what would i gain? on the other hand, if i'm hanging around at a library or starbucks with a laptop, i'll pop out wireshark and firesheep just for the hell of it (i'm not often 'hanging around' with nothing better to do). so, fwiw
