Re: cache-busting document from P.Lister@cranfield.ac.uk on 1997-06-10 (ietf-http-wg@w3.org from April to June 1997)

From: <P.Lister@cranfield.ac.uk>
Date: Tue, 10 Jun 97 13:00:04 +0100
To: Jon Knight <jon@net.lut.ac.uk>
Cc: P.Lister@cranfield.ac.uk, Shel Kaphan <sjk@amazon.com>, http-wg@cuckoo.hpl.hp.com, ircache@nlanr.net
Message-Id: <9706101200.AA09511@panama>

> Except that the non-https version may be used several times in
> unauthenticated documents and will be cachable whilst the https one won't
> be cachable (if I understand things correctly) and will have to be
> retrieved each and every time. And that's what we should all be working to
> avoid IMHO.  The web is too slow much of the time as it is, and this is
> common experience here even though we have a fast SMDS pipe to the rest of
> the world.  Pity the poor sods with 28.8K modems behind a congested
> commerical ISP. 

Whether an https doc is pulled multiple times depends on the caching
policy of the client; there's nothing in SSL which says that client
caches can't respect Expires headers or compare checksums to avoid
duplication. Yes, SSL authenticated forms with inlined icons with
https are inefficient as SSL implementations currently stand, but
regardless of how many times I tell html authors here not to use huge
inefficient inline images they still insist on doing so. I have no
reason to believe that the designers of bank web forms are any more
intelligent.

A doc on best practise should get things right: my point stands that a
client which is happy to cache https images for reasonable length of
time *will* do better by reusing the one https image once it has got
it - *if* the https GET is inevitable *anyway*. I accept your point
that pathological clients are better served by having images served by
http, even if that duplicates an icon already obtained by SSL; they
are perfectly compatible.

I've just tried an experiment with my test https server and I can
confirm that Netscape Navigator WITHOUT persistent SSL caching DOES
NOT reload inlined images when the html page is pulled again (though
it DOES reload all images when I press Reload for the html). If I move
to a different https URI which inlines the same image, the image is
NOT reloaded. The mileage of other browsers may vary, but this seems
reasonable - and it means that an unauthenticated http referring page
*should* refer to the https icon if it's sure that the browser will
have that icon loaded already.

Peter Lister                             Email: p.lister@cranfield.ac.uk
Computer Centre, Cranfield University    Voice: +44 1234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK        Fax: +44 1234 751814
   The more we look at structures of trust, the more we realise that
   democracy and subversion are closely related.     (Ross Anderson)

Received on Tuesday, 10 June 1997 05:03:41 UTC