Shop OBEX P1 Docs P2 Docs Learn Events
Researchers quantify the 'S' in HTTPS — Parallax Forums

Researchers quantify the 'S' in HTTPS

Ron CzapalaRon Czapala Posts: 2,418
edited 2014-12-10 06:18 in General Discussion
http://www.zdnet.com/article/reseachers-quantify-the-s-in-https/

Summary:​What value can be placed on the letter 'S'? If it's the 'S' in HTTPS, it could equate to a loss of productivity due to increased latency, greater battery drain for certain connected devices, and the loss of in-network value-added services, according to new research.

Researchers from Pittsburgh's Carnegie Mellon University, Polytechnic University di Torino in Italy, and the research and development arm of Spain's Telef

Comments

  • Heater.Heater. Posts: 21,230
    edited 2014-12-08 07:14
    Well, talk about stating the obvious.

    Those secret handshakes insert extra round trip latency. All that cyphering and decyphering adds to compute load hence power consumption.

    My guess is that for most web sites the increase in page load times due to HTTPS is almost insignificant when compared to all the to'ing and fro'ing that is going on as the page calls up support from advertisers, and analytic services, fetches piles of useless corporate images, FLASH animations and God knows what other junk.

    Similarly the processing overhead is lost in the noise of all the said image display, CSS transistions, other animations, and piles of useless JavaScript spying on you.

    I'd like to see some comparisons done along those lines.
  • LoopyBytelooseLoopyByteloose Posts: 12,537
    edited 2014-12-08 07:44
    Oh, I guess they are trying to say there is 'bloat' in the code. That's why I try to work with the older, simpler stuff --- C rather than C++, and so forth. For the new learner or the hobbyist, often the most up-to-date software is a vast maze of documentation and libraries.

    There are some advantages to using older solutions, even when considered obsolete == more fun, less time trying to seek leading edge mentoring. Or just a better entry point into a topic that has evolved to be rather complex.

    So try HTTP first before learning HTTPS.
  • Martin_HMartin_H Posts: 4,051
    edited 2014-12-09 19:12
    Where I work we use hardware SSL accelerators and don't care about the MIPS. Problem solved.
  • Heater.Heater. Posts: 21,230
    edited 2014-12-09 19:54
    Martin,

    How do those hardware SSL accelerators compare to just using your regular CPU? I thought modern x86 chips had support for accelerating encryption built in now a days.

    The article hints at latency and power consumption issues that are bit more subtle than I thought.

    The obvious extra latency is in the extra handshaking required to get a secure connection up. But it gets worse. Because all the data on the line is encrypted none of it can be cached by proxies on the way. That means everything has to come all the way from the server increasing round trips and load times.

    That in turn means the mobiles radio has to be powered up all the time which sucks battery life.

    That's on top of the extra power drain required to do the encryption.

    My view is that if your website is making use of a lot of intermediate caching to get page load times down then that implies a lot of it is not useful information. Like for example those big corporate banners and pictures of pretty smiling girls wearing head sets that corporate sites use to represent their wonderful help desk service.

    Just get rid of all that dross.
  • Martin_HMartin_H Posts: 4,051
    edited 2014-12-10 02:46
    Heater, I imagine a CPU with encryption support would be helpful, but I don't know how much of the SSL protocol it understands versus just making parts of it faster. The accelerators are built to perform session key negotiation, and afterwards use the session key itself. They're to SSL as a GPU is to graphics.

    For financial data we don't have an option, it all has to be encrypted because it is considered both economically valuable, customer confidential, and uncacheable. Browsers also won't display the locked icon if any part of a page secured by SSL is in the clear, so everything on the page with it is also served via SSL. Including corporate banners and smiling mom with baby.

    Plus it is an absolute requirement that all financial sites must have plenty of smiling pictures of a mom and baby to remind parents to open a 529 college savings account, and buy life insurance. All over SSL.
  • Heater.Heater. Posts: 21,230
    edited 2014-12-10 04:26
    I would imagine they don't have to understand much of the SSL protocol. If generating and using those keys is the big time waster then accelerating those parts gets you a big boost even if higher levels of the protocol are done on your general purpose CPU. Much like the way that a GPU accelerates the graphic rendering of your game but not the higher levels of the game logic.

    Speaking of GPU's it seems that people are working on GPU shaders that accelerate SSL !

    The need for encryption in financial institutions and elsewhere is clear. I could do without the smiling babies though.

    Now, given that SSL is so critical to banks and other big money institutions task of delivering smiling baby pictures how come they never thought to review the code that this massive infrastructure stands on? See Heartbleed etc.
  • Martin_HMartin_H Posts: 4,051
    edited 2014-12-10 06:18
    My employer was not effected by Heart bleed.

    Open source software is a bit controversial at financial firms. They like saving money on software, but they don't want to contribute or review it for liability reasons. They often pay third parties to productize it and assume liability for them to avoid this.
Sign In or Register to comment.