SSL considered bloated
6th September 2016
There is, at present, a fashion, or even movement: to put
SSL encryption on every single website. Many popular
websites now cannot even be accessed without encryption.
I think this is motivated by:
-
A legitimate interest in security. Any spoofed website
is potentially a problem, not just e-commerce and bank
sites.
-
A desire to make traffic shaping and censorship more
difficult. I don't know whether this is ultimately a good
idea. Seems to me a bit like equipping everyone with
armour to make shooting them more difficult. Solving the
problem the wrong way?
-
Some people just think it's cool to have SSL on their website.
I, however, do not
think it's a good idea to
put SSL on every single website. Now I point out some
disadvantages with SSL:
-
It takes a lot of network traffic to negotiate an SSL
connection, and on a slow internet connection like I often
have on my phone, this can be the difference between a
page loading or not loading. Even on a fast connection it
makes a difference, find a website with an encrypted and
un-encrypted version and run
$ time curl -I
http://www.example.site
and $ time curl -I
https://www.example.site
-
It stops proxies from caching responses between different clients. There is no way to fix this.
-
It raises the entry bar for making a website. I think
it's really great that kids can learn about HTTP and HTML
just by spawning Apache and modifying the index.html. I
also think it's great that you can write
a working
HTTP server in one line of code. It's not that simple
once you add SSL.
I'm just warning against an elitist internet where the old
ways are forgotten in favour of some big new technology that
seems like a good idea at the time. And if SSL is offered
perhaps it should still be possible to access
non-security-critical pages by plain old HTTP.