It's security theater to encrypt everything. If you have to let some content delivery network decrypt your HTTPS sessions, you've created a central wiretapping point at the CDN. If you only encrypt login pages and such, and have a server with higher security handling them, you're at least protecting passwords and user identification. If decryption has to be moved out into the CDN to support encryption of cat pictures, security has been reduced.
> If decryption has to be moved out into the CDN to support encryption of cat pictures, security has been reduced.
That doesn't logically follow. The CDN doesn't have to start handling logins just because the "cat pictures" are now being served over HTTPS.
> If you only encrypt login pages and such, and have a server with higher security handling them, you're at least protecting passwords and user identification
It's impossible to provide meaningful security this way - if the pages linking to the login page aren't HTTPS, it's trivial to sslstrip them. Only a very small fraction of users will notice when this happens.
You can do that. You need a separate login domain, with its own server and SSL cert. The cat videos can go through the main domain and CDN.
HTTPS security seems to be going downhill where it matters. "wellsfargo.com" not only has just a cheezy "domain validated only" SSL cert, but their "sign up for online access" link redirects to "https://adfarm.mediaplex.com". Bank of America used to run the secure pages through "secure.bankofamerica.com" from their own servers. Now everything comes from one domain, and it's front-ended by an Akamai service.
Is it really new? People have always outsourced hosting. Complaining that CloudFlare or Akamai have access to an SSL cert makes as much sense to me as complaining that RackSpace has access to it, when someone was hosting their stuff in their datacenters.
