The Cost of the "S" In HTTPS

← Back to Stories (view on slashdot.org)

Posted by timothy on Thursday December 4, 2014 @03:13AM from the not-insignificant dept.

An anonymous reader writes Researchers from CMU, Telefonica, and Politecnico di Torino have presented a paper at ACM CoNEXT that quantifies the cost of the "S" in HTTPS. The study shows that today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. This is a nice testament to the feasibility of having a fully encrypted web. The paper pinpoints also the cost of encryption, that manifests itself through increases in the page loading time that go above 50%, and possible increase in battery usage. However, the major loss due to the "S" is the inability to offer any in-network value added services, that are offered by middle-boxes, such as caching, proxying, firewalling, parental control, etc. Are we ready to accept it? (Presentation can be downloaded from here.)

24 of 238 comments (clear)

Min score:

Reason:

Sort:

Not Slashdot! by Charliemopps · 2014-12-04 03:15 · Score: 5, Funny

Are we ready to accept it?
Slashdot certainly isn't ready!
1. Re:Not Slashdot! by Anonymous Coward · 2014-12-04 03:36 · Score: 5, Funny
  
  Yes, clearly we must urgently encrypt all slashdot communication so that no-one can read the posts!
2. Re:Not Slashdot! by zidium · 2014-12-04 04:41 · Score: 4, Insightful
  
  Worry not, Comrade!
  HTTPS will come to Slashdot after UTF-8 arrives and the Usable Slashdot interface is retired.
  In the meantime, why don't you come join us at https://pipedot.org/? It has both UTF-8 and SSL support already.
  
  --
  Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
3. Re:Not Slashdot! by Raumkraut · 2014-12-04 05:02 · Score: 3, Funny
  
  In the meantime, why don't you come join us at https://pipedot.org/? It has both UTF-8 and SSL support already.
  And for that matter so does Soylent News, which is even based on the same codebase as Slashdot!
Those aren't the services you're looking for by Overzeetop · 2014-12-04 03:18 · Score: 5, Interesting

"in-network value added services"
I just read that as "advertising".
Besides, I though most of the internet traffic was netflix now. Is that all done https in a way that distributed caches are infeasible? I understood that the caching was pretty robust for their traffic.

--
Is it just my observation, or are there way too many stupid people in the world?
1. Re:Those aren't the services you're looking for by yakatz · 2014-12-04 03:22 · Score: 3, Informative
  
  It includes things like local caching which was once important, but probably isn't anymore.
2. Re:Those aren't the services you're looking for by Qzukk · 2014-12-04 03:56 · Score: 3, Insightful
  
  Legitimate local proxies will have the clients configured to use them and will work fine with https.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
3. Re:Those aren't the services you're looking for by Eunuchswear · 2014-12-04 04:14 · Score: 3, Insightful
  
  My experience with telephone company provided local caching is that it usualy makes the web unusable, If I can get at a service via HTTP or HTTPS then quite often the HTTPS works where the HTTP will either give you nothing, or just the start of the page,
  (This was on Free Mobile, in France).
  
  --
  Watch this Heartland Institute video
4. Re:Those aren't the services you're looking for by petermgreen · 2014-12-04 04:31 · Score: 3, Informative
  
  In my experiance most proxies legitimate or otherwise just pass https through without caching it.
  It's certainly possible to set up a proxy that decrypts and hashes https but it has a number of issues.
  1: legal, in some jurisdications it may not be legal to interfere with the encryption of certain types of traffic or may make you liable if the information you decrypted leaks out.
  2: client configuration, you have to explicitly add the certificate for every client. Having unmanaged client machines is not mutally exclusive with a legitimate desire to cache data.
  3: security, your proxy just became a massive target for anyone wanting to attack your users.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Yes by buchner.johannes · 2014-12-04 03:22 · Score: 5, Informative

Caching: You can not cache Facebook for example, because the content is generated differently for every user. Youtube goes through great lengths to prohibit caching (e.g. with Squid) in the first place.
Proxying: You can proxy https just fine.
Firewalling: You can firewall https just fine.
Parental control: You can block websites just fine, either via DNS or IP.
I suspect they mean snooping for "copying that companies don't approve of" and "freedom fighters" here. And child pornography. It's kind of the point of HTTPS that it should be private. So yes, I can accept these costs.

--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
1. Re:Yes by Aethedor · 2014-12-04 03:58 · Score: 4, Informative
  
  Caching: You can cache Facebook's images, stylesheets and Javascripts just fine.
  Proxying: Not just fine. You need a man-in-the-middle proxy for that and its root certificate installed on every client. Otherwise, it's just routing, not proxying.
  Firewalling: Firewalling based on hostname / port, yes. Firewalling based on bad content (malware), no.
  Parental control: Same as firewalling. And blocking this kind of content is not only done by IP address, but often also by words in the hostname. This cannot be done when you can't read the hostname in the HTTP request.
  
  --
  It doesn't have to be like this. All we need to do is make sure we keep talking.
2. Re:Yes by Anonymous Coward · 2014-12-04 04:19 · Score: 3, Informative
  
  It is disingenuous to make a blanket statement "you can not cache Facebook". After all, what takes up the most "data" on the page? It is between images and scripts. Neither of those is unique per user. When someone posts an image, all viewers of the image see the same image. It can be cached. Same with the javascript. It is just the unique parts of the page that can't be cached...
Cost of certificates by bunratty · 2014-12-04 03:23 · Score: 4, Interesting

The other cost of the S is the difficulty in obtaining and using certificates that are recognized by browsers without bothering the user. That's why the Let's Encrypt project is trying to make it free and easy.

--
What a fool believes, he sees, no wise man has the power to reason away.
1. Re:Cost of certificates by bunratty · 2014-12-04 04:09 · Score: 3, Informative
  
  You can get SSL certificates for free, but they're WAY more difficult to use than they need to be. I've installed certificates before, and it's a bunch of tedious, boring, repetitive work. What are computers for but to automate tedious, boring, repetitive work!? The computer should handle all work for me, and all I should have to do is click a button, for chrissake! That's what Let's Encrypt does.
  
  --
  What a fool believes, he sees, no wise man has the power to reason away.
What about the cost of NOT having it? by RivenAleem · 2014-12-04 03:30 · Score: 5, Insightful

What is the cost to the user of having their communications intercepted, banking details stolen etc etc.
That's like saying that putting locks on your doors has an added cost of you requiring more time every day getting in and out because you have to take time to turn a key. It also means that local corporations can't send people by to inject "value added" services into your home without your consent! Are you ready to accept locks on your doors?
WTF... by EndlessNameless · 2014-12-04 03:30 · Score: 3, Interesting

Stupid article. Making a mountain out of a mole hill.
How hard is it to push a certificate to your clients so they trust your proxy? How hard is it to setup a cache there? And monitoring/filtering? Not very hard.
We do this at work, and it is dead simple for halfway competent admins to implement.
What this really does is stop telecoms from monkeying with their users' traffic. By default, anyway.
Most ISPs provide Windows installers/optimizers to their users, which their users dutifully click through without understanding. So they could just install their certificates and continue business as usual---with very little effort, all things considered. They might need beefier proxies to handle encryption, but CPU time is cheaper than ever.

--

---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Hmmm. Not a hard tradeoff for me. by anegg · 2014-12-04 03:37 · Score: 3, Interesting

The tradeoff is between a little more time, and a little more resources, against the benefit of keeping my communications private and unaltered by all of the middlemen through which my communications pass. That's a no-brainer for me.
In the days before the exposure of Verizon's (and others) schemes to actually interfere with the content of communications from their customers passing through their network (I'm talking about the physical modification of the communications content, and not just traffic management/prioritizing), I may have had a different opinion about the tradeoffs. But now that the "common carriers" have shown that they have no morals what so ever with respect to the content of traffic they are carrying through their networks, SSL encryption is simply a necessary function to prevent interference.
Today that interference may be limited to tracking user activity using an additional HTTP header that the user never knows exists. Who knows what packet re-writing magic might be used by the carriers in the future to completely "customize" each user's experience interacting with third parties to the benefit of the carrier?
Re:Sounds good to me by TWX · 2014-12-04 03:38 · Score: 3, Interesting

Yes. COX is an offender for certain.

An interesting thing of it though, it's possible to man-in-the-middle HTTPS. It requires one to be a router in-stream, and to proxy the traffic, and to report one's own SSL information to the web client, then to decrypt, and re-encrypt when proxy-requesting from the server.

This is actually normal behavior on corporate networks. Cisco has products that are specifically designed to do this. An interesting way to see if it's going on is to use a new browser with HTTPS Everywhere running with the SSL Observatory turned on in the wild, then use it on a corporate network and see if one gets warnings.

--
Do not look into laser with remaining eye.
Use COPPA as an excuse not to encrypt by tepples · 2014-12-04 03:42 · Score: 3, Interesting

Then block all HTTPS until age 13. The only sites you need HTTPS for are the ones that require a login, and COPPA and foreign counterparts make it very hard to offer logins to children under 13.
Re:Sounds good to me by Anonymous Coward · 2014-12-04 03:46 · Score: 5, Informative

To do this, the client must have a root certificate installed by the man-in-the-middle meddler that spoofs all domain names. Not an easy task unless you're a corporation providing a computer to your employees.
Re:Drop HTTP completely? by bunratty · 2014-12-04 03:58 · Score: 3, Informative

The problem with HTTP is that a middleman can see and alter content. If a browser doesn't warn when it encounters a self-signed certificate, then HTTPS would be no more secure than HTTP -- all the middleman has to do is use a self-signed certificate to decrypt/encrypt packets as needed. So browsers do prefer HTTPS, when the certificate can be verified. If you're using HTTPS and the certificate can't be verified, it's no more secure than HTTP unless the user is warned, and in fact it's a way of detecting that a middleman may be present. That's the whole reason for the death warning!

--
What a fool believes, he sees, no wise man has the power to reason away.
caching, proxying, firewalling, parental control by nitehawk214 · 2014-12-04 04:06 · Score: 4, Insightful

Or as the rest of us like to say... stopping man in the middle attacks.

--
I'm a good cook. I'm a fantastic eater. - Steven Brust
Re:"S" in quotes, but not services or value added? by Immerman · 2014-12-04 04:27 · Score: 3, Insightful

There's also a point to be made that while many somebodies would, just on general principles, love to know everything you watch on Netflix, etc, in most cases the actual privacy invasion of such knowledge is almost certainly far lower than would be gotten from library records in days of old. We're talking about what mass-market pablum you choose to waste your time with - it may help somewhat in building a psychological profile, but it's unlikely to reveal many details. So leaving such high-bandwidth mass-distributed data unencrypted could allow us to still use caching for the data which benefits most.
On the other hand, your YouTube watching habits are potentially far more revealing. But by the same token the viewership for any given video is generally far lower, and with it the benefits of caching, so the cost/benefit ratio probably comes down strongly in favor of encryption there. If the NSA wants to know my viewing habits, let them buy the data from Google. And Google, I'm counting on you making a tidy profit selling that data. Don't cheap out on me. The expense needs to be enough to that they only buy the data on the specific individuals they're already suspicious of.

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Re:Sounds good to me by RatherBeAnonymous · 2014-12-04 05:56 · Score: 3, Interesting

This is an easy one.
User: "Hi, I'm getting an error message when I go to my bank site."
Tech Support: "Oh, that's normal. Just click here, check that box, and then OK. In the mean time, go to our Internet troubleshooter. It will make sure you never see this error again."
User: "Thanks! You've been exceptionally helpful and I'm going to send your supervisor a positive review!"