On Fri, Apr 3, 2015 at 9:22 PM, Christopher Howard <ch.howard@zoho.com> wrote:
> On Fri, 03 Apr 2015 12:24:36 -0800
> Mike <alaskabarsalou@gmail.com> wrote:
>
>>
>> The subject might misrepresent how this really works.
>>
>> What are your thoughts?
>>
>> http://arstechnica.com/security/2015/04/new-firefox-version-says-might-as-well-to-encrypting-all-web-traffic/
>>
>>
>> Mike B.
>>
>> ---------
>> To unsubscribe, send email to <aklug-request@aklug.org>
>> with 'unsubscribe' in the message body.
>>
>
> Since the post was published on April 1, I had to spend about an hour
> to verify everything!
Heh.
> A more accurate subject would be "New Firefox Version Says 'Accept
> Unauthenticated Encryption On the Web Whenever It Is Available and
> Whenever HTTPS Is Not Available". It makes opportunistic encryption
> available, i.e., if an HTTP (non-encrypted) resource is requested, the
> server and browser can negotiate a non-authenticated TLS session.
>
> I guess it is kind of like meeting a secret agent at a bar, and then
> agreeing to talk with him in a secret code made up on the spot. This
> is an improvement, because at least some random guy walking into the
> bar can't listen in to the conversation. But you don't really know if
> the other guy is who he claims to be. (He might have killed they guy
> you were really supposed to meet.)
This is a fantastic analogy - I'm totally gonna steal it. :-)
> I imagine that, if OE became a standard part of an automatic apache
> install, then a pretty large percentage of the internet would get
> coverted to opportunistic encryption after a while, which sounds like
> a good thing to me. But presumably the big media providers won't be
> quick to enable it: If, for example, the abcnews Web site does not
> currently think user privacy and security is important enough to
> provide https, why would they provide unauthenticated encryption?
> Unauthenticated encryption will still dramatically increase their
> server load.
It's not so much about server load (CPU/IO/RAM) as it is about
increasing how many packets have to be sent to establish an HTTPS
connection.
This guy said it well:
http://stackoverflow.com/a/150879/263879
Lots of per-URL resources + high-latency connection = slow SSL.
If you're doing the right things to improve general page speediness
(reducing HTTP and DNS requests,etc. - all the stuff that Google
PageSpeed and Yahoo YSlow teach you to do), then you'll probably be
fine over SSL. YMMV.
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Apr 3 22:06:22 2015
This archive was generated by hypermail 2.1.8 : Fri Apr 03 2015 - 22:06:22 AKDT