The problem with SSL is not performance, its management

In a chat with Michael Hidalgo about SSL, he mentioned the posts Overclocking SSL (from Google), Dispelling the New SSL Myth (from F5) and Still not computationally expensive (Google guy responding to F5).

I have written a couple post on SSL:

• No SSL on Azure WebSites (maybe in May 2013?), and shy SSL deployments are so hard
• Interesting SSL challenge between Dev/QA and production
• Trustworthy Internet Movement and SSL Pulse
• Blogger in HTTP only? What happened to HTTPS? 
• HSTS in TeamMentor
• Etsy.com - A case study on how to do security right?

And if you read them you will notice that from my point of view, the issue with SSL is not really a performance issue, but a management/workflow one.

Namely the fact that:

• SSL requires Development and Infrastructure to work together,
• It adds more complexity to the deployment (note how the Azure team is taking a long time to add support for it)
• It is still a pain to add SSL support to existing web servers
• Management of keys is hard
• It is another source of bugs (for an application).
• There are a lot of people (and organizations) that really don’t want SSL-everywhere to happen

That said, I agree that the time for SSL-Everywhere has come, and we really need to do a better job at protecting our browsing data