Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Cost of the "S" In HTTPS

Posted by timothy on from the not-insignificant dept.

An anonymous reader writes Researchers from CMU, Telefonica, and Politecnico di Torino have presented a paper at ACM CoNEXT that quantifies the cost of the "S" in HTTPS. The study shows that today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. This is a nice testament to the feasibility of having a fully encrypted web. The paper pinpoints also the cost of encryption, that manifests itself through increases in the page loading time that go above 50%, and possible increase in battery usage. However, the major loss due to the "S" is the inability to offer any in-network value added services, that are offered by middle-boxes, such as caching, proxying, firewalling, parental control, etc. Are we ready to accept it? (Presentation can be downloaded from here.)

7 of 238 comments (clear)

  1. Those aren't the services you're looking for by Overzeetop · · Score: 5, Interesting

    "in-network value added services"

    I just read that as "advertising".

    Besides, I though most of the internet traffic was netflix now. Is that all done https in a way that distributed caches are infeasible? I understood that the caching was pretty robust for their traffic.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  2. Cost of certificates by bunratty · · Score: 4, Interesting

    The other cost of the S is the difficulty in obtaining and using certificates that are recognized by browsers without bothering the user. That's why the Let's Encrypt project is trying to make it free and easy.

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  3. WTF... by EndlessNameless · · Score: 3, Interesting

    Stupid article. Making a mountain out of a mole hill.

    How hard is it to push a certificate to your clients so they trust your proxy? How hard is it to setup a cache there? And monitoring/filtering? Not very hard.

    We do this at work, and it is dead simple for halfway competent admins to implement.

    What this really does is stop telecoms from monkeying with their users' traffic. By default, anyway.

    Most ISPs provide Windows installers/optimizers to their users, which their users dutifully click through without understanding. So they could just install their certificates and continue business as usual---with very little effort, all things considered. They might need beefier proxies to handle encryption, but CPU time is cheaper than ever.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  4. Hmmm. Not a hard tradeoff for me. by anegg · · Score: 3, Interesting

    The tradeoff is between a little more time, and a little more resources, against the benefit of keeping my communications private and unaltered by all of the middlemen through which my communications pass. That's a no-brainer for me.

    In the days before the exposure of Verizon's (and others) schemes to actually interfere with the content of communications from their customers passing through their network (I'm talking about the physical modification of the communications content, and not just traffic management/prioritizing), I may have had a different opinion about the tradeoffs. But now that the "common carriers" have shown that they have no morals what so ever with respect to the content of traffic they are carrying through their networks, SSL encryption is simply a necessary function to prevent interference.

    Today that interference may be limited to tracking user activity using an additional HTTP header that the user never knows exists. Who knows what packet re-writing magic might be used by the carriers in the future to completely "customize" each user's experience interacting with third parties to the benefit of the carrier?

  5. Re:Sounds good to me by TWX · · Score: 3, Interesting

    Yes. COX is an offender for certain.

    An interesting thing of it though, it's possible to man-in-the-middle HTTPS. It requires one to be a router in-stream, and to proxy the traffic, and to report one's own SSL information to the web client, then to decrypt, and re-encrypt when proxy-requesting from the server.

    This is actually normal behavior on corporate networks. Cisco has products that are specifically designed to do this. An interesting way to see if it's going on is to use a new browser with HTTPS Everywhere running with the SSL Observatory turned on in the wild, then use it on a corporate network and see if one gets warnings.

    --
    Do not look into laser with remaining eye.
  6. Use COPPA as an excuse not to encrypt by tepples · · Score: 3, Interesting

    Then block all HTTPS until age 13. The only sites you need HTTPS for are the ones that require a login, and COPPA and foreign counterparts make it very hard to offer logins to children under 13.

  7. Re:Sounds good to me by RatherBeAnonymous · · Score: 3, Interesting

    This is an easy one.

    User: "Hi, I'm getting an error message when I go to my bank site."

    Tech Support: "Oh, that's normal. Just click here, check that box, and then OK. In the mean time, go to our Internet troubleshooter. It will make sure you never see this error again."

    User: "Thanks! You've been exceptionally helpful and I'm going to send your supervisor a positive review!"