Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!us.feeder.erje.net!news2.arglkargh.de!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Mike Amling Newsgroups: comp.lang.java.security Subject: Re: the flip to HTTPS Date: Mon, 29 Sep 2014 11:55:07 -0500 Lines: 44 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Trace: individual.net wND4E7Tb+APlRW23kj3RhQv18aPlI9egjwG16oJfdotEoU1OdL Cancel-Lock: sha1:9yiKMpqjFiU4SPQik9rzCqLDLek= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 In-Reply-To: Xref: csiph.com comp.lang.java.security:303 On 9/10/14 5:13 AM, Roedy Green wrote: > I have noticed many sites flipping from HTTP: to HTTPS: even when the > site has no confidential information. I asked why. > > The answers I got: > > 1. Google is pushing it. They will bump your rankings if you do. > > 2. Google wants it universal to make life awkward for the snoops. They > can go on a goose change decrypting pudding recipes. > > 3. HTTPS: is a more robust protocol. > > I have always assumed HTTPS: would necessarily completely defeat > caching. Surely transport cannot be permitted to know anything at all > about the structure of the stream it is transmitting, or does it? > > Without HTTPS a cacher can serve the same page to several different > nearby users. The entity holding the relevant certificate's private key can share session keys with other systems. It's fairly common for load balancing to share on a LAN. Some sites share the session keys with a content delivery network, or caching proxies. > CloudFront has a funny sort of HTTPS where the cloud encrypts the last > leg with the caching server's certificate, not the original source's. > This allows some caching. Distributing a certificate's private key, or using multiple certificates for multiple servers, can also be made to work. > You can't do a thing with HTTPS to troubleshoot with Wireshark. Sometimes if you're lucky all you need is traffic analysis. > I would presume compression is becoming standard along with > encryption. I don't know about SPDY. > > The irony is this flip to HTTPS: leaves EMAIL still generally > unprotected. It needs a major overhaul. --Mike Amling SSBkb24ndCBzZWUgd2hhdCBhbnkgb2YgdGhpcyBoYXMgdG8gZG8gd2l0aCBKYXZhLg==