Re: 2 questions from Walter H. on 2015-03-30 (ietf-http-wg@w3.org from January to March 2015)

From: Walter H. <Walter.H@mathemainzel.info>
Date: Mon, 30 Mar 2015 21:32:06 +0200
To: Mike Bishop <Michael.Bishop@microsoft.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <5519A4B6.506@mathemainzel.info>

On 30.03.2015 02:50, Mike Bishop wrote:
> You're skipping the discussion about why price of the cert is not the cost of running TLS.  There's admin overhead in renewing the cert for each domain, there's network infrastructure overhead in providing each domain a unique IP address (because you can't guarantee every client supports SNI, much as we'd like to), and that additional network infrastructure cost means hosting becomes more expensive.
that a server needs more cpu, memory and more other resources when 
sending content using TLS in comparison to just send them plain, this is 
true;
also it is true, that you need someone who renews the certs; also that 
you need a unique IP address; but it is not impossible doing so, the 
available resources would be enough;
even IP addresses;
let me explain a little example at the end, why you are right and more 
wrong at the same time;

> But fundamentally, the argument was that if HTTP/2 needed to cover the same scenarios as HTTP/1.1,
not really; or do you really think there is the need of something new 
that is the same as the old?

here the example:

think of someone or company uses Internet for e-commerce; e.g. 
presenting his products is public for anybody; this doesn't need to be 
presented in TLS,
but when someone enters data to order the products, this must be done 
using TLS;
compareable to a bank; the presentation of all products of the bank - 
e.g. interest rates, common terms and conditions, ... - can be presented
for the public without the need of TLS, but the service of electronic 
banking must only be with TLS;

now think of the "next step", the website shows advertising for what the 
company gets money, that reduces the hosting costs;
this can be done in 2 ways: using a 3rd party, this is less efficient, 
compare it to a folder together with a newspaper;
or without, the most efficient way, compare it to a newspaper that has 
printed the advertisings anywhere between
the news and other informations;

now think of the people that do not want see the advertisings; with the 
newspaper it is easy to bring them showing on the advertisings,
just print them anywhere between the news; an enclosed folder with 
advertisings can be thrown away without being really noticed;

a little analogy: a user can easily block 3rd party advertisings by 
blocking just these domains; for this it would not make any difference 
if it is sent plain or encrypted using TLS,
because this blockings are domain/host specific;
if the advertisings are done without 3rd party, then a user might block 
specifics URLs - this and the above steps can be done centrally at a 
proxy server;
but when the whole is only sent encrypted using TLS, anybody can only 
stop the advertisings from being loaded by himself/herself without 
breaking the
end-to-end encryption; a proxy server doesn't help to prevent this, 
except it does man-in-the-middle;

so now the question for you: do you really think, TLS costs you so much 
more that any way of reducing the whole hosting costs isn't it worth of 
doing TLS?

by the way:
can you please read this:
https://datatracker.ietf.org/doc/draft-hoehlhubmer-https-addon/
I want this to be a RFC

Thanks,
Walter

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Monday, 30 March 2015 19:32:31 UTC