Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Cost of the "S" In HTTPS

Posted by timothy on from the not-insignificant dept.

An anonymous reader writes Researchers from CMU, Telefonica, and Politecnico di Torino have presented a paper at ACM CoNEXT that quantifies the cost of the "S" in HTTPS. The study shows that today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. This is a nice testament to the feasibility of having a fully encrypted web. The paper pinpoints also the cost of encryption, that manifests itself through increases in the page loading time that go above 50%, and possible increase in battery usage. However, the major loss due to the "S" is the inability to offer any in-network value added services, that are offered by middle-boxes, such as caching, proxying, firewalling, parental control, etc. Are we ready to accept it? (Presentation can be downloaded from here.)

10 of 238 comments (clear)

  1. Not Slashdot! by Charliemopps · · Score: 5, Funny

    Are we ready to accept it?

    Slashdot certainly isn't ready!

    1. Re:Not Slashdot! by Anonymous Coward · · Score: 5, Funny

      Yes, clearly we must urgently encrypt all slashdot communication so that no-one can read the posts!

    2. Re:Not Slashdot! by zidium · · Score: 4, Insightful

      Worry not, Comrade!

      HTTPS will come to Slashdot after UTF-8 arrives and the Usable Slashdot interface is retired.

      In the meantime, why don't you come join us at https://pipedot.org/? It has both UTF-8 and SSL support already.

      --
      Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
  2. Those aren't the services you're looking for by Overzeetop · · Score: 5, Interesting

    "in-network value added services"

    I just read that as "advertising".

    Besides, I though most of the internet traffic was netflix now. Is that all done https in a way that distributed caches are infeasible? I understood that the caching was pretty robust for their traffic.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  3. Yes by buchner.johannes · · Score: 5, Informative

    Caching: You can not cache Facebook for example, because the content is generated differently for every user. Youtube goes through great lengths to prohibit caching (e.g. with Squid) in the first place.
    Proxying: You can proxy https just fine.
    Firewalling: You can firewall https just fine.
    Parental control: You can block websites just fine, either via DNS or IP.
    I suspect they mean snooping for "copying that companies don't approve of" and "freedom fighters" here. And child pornography. It's kind of the point of HTTPS that it should be private. So yes, I can accept these costs.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    1. Re:Yes by Aethedor · · Score: 4, Informative

      Caching: You can cache Facebook's images, stylesheets and Javascripts just fine.
      Proxying: Not just fine. You need a man-in-the-middle proxy for that and its root certificate installed on every client. Otherwise, it's just routing, not proxying.
      Firewalling: Firewalling based on hostname / port, yes. Firewalling based on bad content (malware), no.
      Parental control: Same as firewalling. And blocking this kind of content is not only done by IP address, but often also by words in the hostname. This cannot be done when you can't read the hostname in the HTTP request.

      --
      It doesn't have to be like this. All we need to do is make sure we keep talking.
  4. Cost of certificates by bunratty · · Score: 4, Interesting

    The other cost of the S is the difficulty in obtaining and using certificates that are recognized by browsers without bothering the user. That's why the Let's Encrypt project is trying to make it free and easy.

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  5. What about the cost of NOT having it? by RivenAleem · · Score: 5, Insightful

    What is the cost to the user of having their communications intercepted, banking details stolen etc etc.

    That's like saying that putting locks on your doors has an added cost of you requiring more time every day getting in and out because you have to take time to turn a key. It also means that local corporations can't send people by to inject "value added" services into your home without your consent! Are you ready to accept locks on your doors?

  6. Re:Sounds good to me by Anonymous Coward · · Score: 5, Informative

    To do this, the client must have a root certificate installed by the man-in-the-middle meddler that spoofs all domain names. Not an easy task unless you're a corporation providing a computer to your employees.

  7. caching, proxying, firewalling, parental control by nitehawk214 · · Score: 4, Insightful

    Or as the rest of us like to say... stopping man in the middle attacks.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust