W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Wed, 10 Dec 2014 04:04:18 -0700
To: Tim Bray <tbray@textuality.com>
Cc: Marc Fawzi <marc.fawzi@gmail.com>, Chris Palmer <palmer@google.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, Mark Nottingham <mnot@mnot.net>, Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <20141210040418.870f34bba05057346886f0dc@bisonsystems.net>
Tim Bray wrote:
> 
> But I really can’t take seriously the objection that cost is a serious
> obstacle to widespread TLS deployment.
> 

I take it seriously. While your draft makes a good point or two on this
issue, I'd like to offer a couple of counterpoints.

Broken-ness

I've certainly noticed an increase in invalid-cert warnings when using
the Web. I'm not talking about the one-time costs associated with
implementing SNI in a load-balanced, virtual-hosting environment, I'm
talking about the knock-on costs to the small-business content-creator
when third- and even fourth- party PKI implementations are bungled.

Even an expired cert on the part of, say, an ad provider or even an
advertiser using that provider, causes a pop-up warning for users. At
best, the site hosting those ads loses potential click-through revenue.
At worst, naive users assume the problem lies with the site they're
using, and stop using it. Resulting in direct loss of revenue, or
indirect losses stemming from decreased activity on the site.

Browsing through a descriptive link using software that doesn't display
the URL can make it non-obvious to experienced users, that the cert in
question isn't the same domain as the site being accessed. And we all
know that people will just move on, rather than taking a moment to
figure that out.

Hosting costs

It's possible to achieve both low latency and five-nines reliability on
a budget using HTTP, due to the lower implementation cost of redundant
systems based on "obsolete" CPUs. Moving to HTTPS on such hardware comes
with latency increases which may negatively impact profitability due to
user impatience. Avoiding this latency penalty requires encryption co-
processing, i.e. the latest-and-greatest CPUs, increasing hosting costs
at the expense of profitability.

Plus the aforementioned (by me) loss of access to shared intermediary
caching. Going to the next "tier" of bandwidth usage isn't a negligible
cost. Alternatives either come with unacceptable tradeoffs in terms of
control of content, or the most odious TOS I've yet seen for any Web
service (looking at you, CloudFlare), or moving to lesser hosting and
increasing latency/downtime. Fast, reliable, *and* inexpensive hosting
has long been my key to profitable websites, but it's a tightrope walk.

While the overall costs of HTTPS Everywhere to the world-at-large may
be negligible, I'm very much struggling with the cost justification for
small businesses which care about high reliability and low latency.

-Eric
Received on Wednesday, 10 December 2014 11:04:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC