SSL considered bloated

6th September 2016

There is, at present, a fashion, or even movement: to put SSL encryption on every single website. Many popular websites now cannot even be accessed without encryption.

I think this is motivated by:

  1. A legitimate interest in security. Any spoofed website is potentially a problem, not just e-commerce and bank sites.
  2. A desire to make traffic shaping and censorship more difficult. I don't know whether this is ultimately a good idea. Seems to me a bit like equipping everyone with armour to make shooting them more difficult. Solving the problem the wrong way?
  3. Some people just think it's cool to have SSL on their website.

I, however, do not think it's a good idea to put SSL on every single website. Now I point out some disadvantages with SSL:

  1. It takes a lot of network traffic to negotiate an SSL connection, and on a slow internet connection like I often have on my phone, this can be the difference between a page loading or not loading. Even on a fast connection it makes a difference, find a website with an encrypted and un-encrypted version and run $ time curl -I http://www.example.site and $ time curl -I https://www.example.site
  2. It stops proxies from caching responses between different clients. There is no way to fix this.
  3. It raises the entry bar for making a website. I think it's really great that kids can learn about HTTP and HTML just by spawning Apache and modifying the index.html. I also think it's great that you can write a working HTTP server in one line of code. It's not that simple once you add SSL.

I'm just warning against an elitist internet where the old ways are forgotten in favour of some big new technology that seems like a good idea at the time. And if SSL is offered perhaps it should still be possible to access non-security-critical pages by plain old HTTP.