Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Cost of the "S" In HTTPS

Posted by timothy on from the not-insignificant dept.

An anonymous reader writes Researchers from CMU, Telefonica, and Politecnico di Torino have presented a paper at ACM CoNEXT that quantifies the cost of the "S" in HTTPS. The study shows that today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. This is a nice testament to the feasibility of having a fully encrypted web. The paper pinpoints also the cost of encryption, that manifests itself through increases in the page loading time that go above 50%, and possible increase in battery usage. However, the major loss due to the "S" is the inability to offer any in-network value added services, that are offered by middle-boxes, such as caching, proxying, firewalling, parental control, etc. Are we ready to accept it? (Presentation can be downloaded from here.)

8 of 238 comments (clear)

  1. What about the cost of NOT having it? by RivenAleem · · Score: 5, Insightful

    What is the cost to the user of having their communications intercepted, banking details stolen etc etc.

    That's like saying that putting locks on your doors has an added cost of you requiring more time every day getting in and out because you have to take time to turn a key. It also means that local corporations can't send people by to inject "value added" services into your home without your consent! Are you ready to accept locks on your doors?

  2. ... Is about the least of it by RabidReindeer · · Score: 2, Insightful

    I've no doubt that the overhead of https can be more than paid for if website designers would lay off the Singing Flowers and Dancing Fairies. Toss the gratuitous multi-media. Especially the auto-playing stuff. It's cheap and cheesy and makes me seriously think of avoiding the site altogether, whether it's local content or 3d-party adverts.

    And while you're at it, calculate the slow-filling parts of the page in advance so that the [censored] thing doesn't bounce up and down like a demented ping-pong ball as it loads. The only thing more irritating than having a page continually re-map itself while you're reading it is to have the stupid thing auto-reload and throw you back to the top of it.

  3. Re:Those aren't the services you're looking for by Qzukk · · Score: 3, Insightful

    Legitimate local proxies will have the clients configured to use them and will work fine with https.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  4. Re:Not Slashdot! by Charliemopps · · Score: 2, Insightful

    Yes, clearly we must urgently encrypt all slashdot communication so that no-one can read the posts!

    Given that this sites primary purpose is social commentary of the news, encryption's probably more important here than just about anywhere else.

  5. caching, proxying, firewalling, parental control by nitehawk214 · · Score: 4, Insightful

    Or as the rest of us like to say... stopping man in the middle attacks.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  6. Re:Those aren't the services you're looking for by Eunuchswear · · Score: 3, Insightful

    My experience with telephone company provided local caching is that it usualy makes the web unusable, If I can get at a service via HTTP or HTTPS then quite often the HTTPS works where the HTTP will either give you nothing, or just the start of the page,

    (This was on Free Mobile, in France).

    --
    Watch this Heartland Institute video
  7. Re:"S" in quotes, but not services or value added? by Immerman · · Score: 3, Insightful

    There's also a point to be made that while many somebodies would, just on general principles, love to know everything you watch on Netflix, etc, in most cases the actual privacy invasion of such knowledge is almost certainly far lower than would be gotten from library records in days of old. We're talking about what mass-market pablum you choose to waste your time with - it may help somewhat in building a psychological profile, but it's unlikely to reveal many details. So leaving such high-bandwidth mass-distributed data unencrypted could allow us to still use caching for the data which benefits most.

    On the other hand, your YouTube watching habits are potentially far more revealing. But by the same token the viewership for any given video is generally far lower, and with it the benefits of caching, so the cost/benefit ratio probably comes down strongly in favor of encryption there. If the NSA wants to know my viewing habits, let them buy the data from Google. And Google, I'm counting on you making a tidy profit selling that data. Don't cheap out on me. The expense needs to be enough to that they only buy the data on the specific individuals they're already suspicious of.

    --
    --- Most topics have many sides worth arguing, allow me to take one opposite you.
  8. Re:Not Slashdot! by zidium · · Score: 4, Insightful

    Worry not, Comrade!

    HTTPS will come to Slashdot after UTF-8 arrives and the Usable Slashdot interface is retired.

    In the meantime, why don't you come join us at https://pipedot.org/? It has both UTF-8 and SSL support already.

    --
    Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!