Lewis' Blog Tales from the trenches of information technology


Google’s HTTPS Everywhere initiative: not so fast…

Download PDF

It seems that Google has a new factor to consider for web rankings: HTTPS.

I understand the allure of encryption. Heck, I use StartPage as my search site, and all of my searches go over HTTPS. The problem is that HTTPS is expensive.

Expensive how? Well, as Rosenthal & Rosenthal resells site certs, I'm probably shooting myself in the foot, but frankly, I don't think that every site needs to be encrypted. Pick up a newspaper at the corner stand. Do you need a password or a magic decoder ring to read it? No, because the communication is one-way, and everyone is getting the same information anyway, thus there's nothing to hide. Site certificates cost money, too. Then there's the hassle when a CA is compromised (remember DigiNotar?). Can you imagine the amount of scrambling we'd all have to do every time a trusted CA was breached (and expect more of those if certs are used more prevalently).

HTTPS is expensive in ways the end user (and ordinary site owner) may not realize. Due to the nature of HTTPS, unless using SNI, a single Apache web server on a single public IP may be able to host hundreds of domains, but only a single HTTPS domain - on the standard port. This leads to a whole other layer of expense, as web hosts try to cater to the lowest common denomonator (older clients - and possibly mobile ones, with less-capable browsers - which don't support SNI) thus having to maintain more public IP addresses. SNI should become more useful in time; I'm considering it on my server. However, for those unable to utilize it, it means dedicating another (rare) IPv4 address to incoming port 443 traffic or utilizing a non-standard port (and for those who seem to believe that web traffic lives and dies by Google's mighty hand, this is not a viable option).

Finally, there is additional server overhead and network/router/internet traffic involved in SSL communications. If all of the unsecure traffic we now see suddenly shifted to HTTPS, I wonder what that might do to overall internet performance, particularly on bandwidth-constrained links?

There is a small benefit in encrypting traffic to thwart tracking, but that is truly minimal. There are new techniques which bypass cookies altogether, thus rendering the threat from cookies themselves if not obsolete, on their way in that direction. I have no doubt that other methods will evolve should all of our traffic become secure. Will we soon need to encrypt our DNS queries, too? Surely this would do more to secure tracking than encrypting traffic flowing in one direction.

I don't know. It seems to me that the rush to HTTPS is driven more by hysteria than common sense. I'm not yet convinced of the tremendous benefit of encrypting all traffic on the internet.

Comments (0) Trackbacks (0)

No comments yet.

Leave a comment

No trackbacks yet.