Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Cost of the "S" In HTTPS

Posted by timothy on from the not-insignificant dept.

An anonymous reader writes Researchers from CMU, Telefonica, and Politecnico di Torino have presented a paper at ACM CoNEXT that quantifies the cost of the "S" in HTTPS. The study shows that today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. This is a nice testament to the feasibility of having a fully encrypted web. The paper pinpoints also the cost of encryption, that manifests itself through increases in the page loading time that go above 50%, and possible increase in battery usage. However, the major loss due to the "S" is the inability to offer any in-network value added services, that are offered by middle-boxes, such as caching, proxying, firewalling, parental control, etc. Are we ready to accept it? (Presentation can be downloaded from here.)

6 of 238 comments (clear)

  1. Not Slashdot! by Charliemopps · · Score: 5, Funny

    Are we ready to accept it?

    Slashdot certainly isn't ready!

    1. Re:Not Slashdot! by Anonymous Coward · · Score: 5, Funny

      Yes, clearly we must urgently encrypt all slashdot communication so that no-one can read the posts!

  2. Those aren't the services you're looking for by Overzeetop · · Score: 5, Interesting

    "in-network value added services"

    I just read that as "advertising".

    Besides, I though most of the internet traffic was netflix now. Is that all done https in a way that distributed caches are infeasible? I understood that the caching was pretty robust for their traffic.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  3. Yes by buchner.johannes · · Score: 5, Informative

    Caching: You can not cache Facebook for example, because the content is generated differently for every user. Youtube goes through great lengths to prohibit caching (e.g. with Squid) in the first place.
    Proxying: You can proxy https just fine.
    Firewalling: You can firewall https just fine.
    Parental control: You can block websites just fine, either via DNS or IP.
    I suspect they mean snooping for "copying that companies don't approve of" and "freedom fighters" here. And child pornography. It's kind of the point of HTTPS that it should be private. So yes, I can accept these costs.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  4. What about the cost of NOT having it? by RivenAleem · · Score: 5, Insightful

    What is the cost to the user of having their communications intercepted, banking details stolen etc etc.

    That's like saying that putting locks on your doors has an added cost of you requiring more time every day getting in and out because you have to take time to turn a key. It also means that local corporations can't send people by to inject "value added" services into your home without your consent! Are you ready to accept locks on your doors?

  5. Re:Sounds good to me by Anonymous Coward · · Score: 5, Informative

    To do this, the client must have a root certificate installed by the man-in-the-middle meddler that spoofs all domain names. Not an easy task unless you're a corporation providing a computer to your employees.