[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cygwin
Subject:    Re: Proposed patch for web site: update most links to HTTPS
From:       Linda Walsh <cygwin () tlinx ! org>
Date:       2016-04-27 5:35:44
Message-ID: 57204FB0.7030201 () tlinx ! org
[Download RAW message or body]

Adam Dinwoodie wrote:
> Secure connections historically had a high overhead, sure, but that's
> very rarely the case nowadays.  Certainly my experince of loading the
> Cygwin web page is that there's no perceptible difference between the
> http and https versions.  Adam Langley (a senior engineer at Google)
> wrote an article back in 2010 about how TLS is now computationally
> cheap[0]; it's only gotten cheaper since.
----
Google talking about benefits of https everywhere is a bit like 
the government telling us that having 'banks' create the rules
for how we use money is "impartial".

https slows down the entire web -- you think not by much -- and that's
because no one knows what the speed is like if everything that could
be cleartext, was.  Sure crypto speedups have been added to HW, but
speedups in communications HW has speed up as well.  So encryption speed
has gone up 100-200%, in the past decade, but in the past decade
communication speeds have gone up from 100Mb-> 10Gb @ home and 
~1Mb -> 50-100Mb over the external net -- that's a 1000% speedup @ home
to a 5000-10000% speedup externally.  That means more and more
of that speed is being lost to crypto which can't keep up and be secure
because it is expensive to do the computations.

A different example:  When I first started regular backups, I used gzip on 
default settings and thought my 5MB/s was 'normal'.  As my network went
up by 100x, I was still getting <10MB/s in backup speed.  The bottleneck
was the compression -- even fast compressors like lzo limit backups to
less than 20-30MB/s.  Compare that to uncompressed speeds:  200-400MB/s.

> At the very least, the Cygwin website should be using protocol-
> independent links, meaning users accessing the website using https
> aren't switched to http when they click on a link (i.e. link to
> "//cygwin.com/path/to/page" rather than "https://cygwin.com/..." or
> "http://cygwin.com/...").  But I agree with Brian: the Cygwin website
> should use https everywhere unless there's some good, specific reason
> why it's a bad idea.  And "TLS is slow" hasn't been a good reason for
> years.
---
Compared to the latency it induces over the net, and the increases in net
speed, it's getting slower and slower and the penalty is getting worse
by the year.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

[prev in list] [next in list] [prev in thread] [next in thread]