This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Proposed patch for web site: update most links to HTTPS


Adam Dinwoodie wrote:
Secure connections historically had a high overhead, sure, but that's
very rarely the case nowadays.  Certainly my experince of loading the
Cygwin web page is that there's no perceptible difference between the
http and https versions.  Adam Langley (a senior engineer at Google)
wrote an article back in 2010 about how TLS is now computationally
cheap[0]; it's only gotten cheaper since.
----
Google talking about benefits of https everywhere is a bit like the government telling us that having 'banks' create the rules
for how we use money is "impartial".

https slows down the entire web -- you think not by much -- and that's
because no one knows what the speed is like if everything that could
be cleartext, was.  Sure crypto speedups have been added to HW, but
speedups in communications HW has speed up as well.  So encryption speed
has gone up 100-200%, in the past decade, but in the past decade
communication speeds have gone up from 100Mb-> 10Gb @ home and ~1Mb -> 50-100Mb over the external net -- that's a 1000% speedup @ home
to a 5000-10000% speedup externally.  That means more and more
of that speed is being lost to crypto which can't keep up and be secure
because it is expensive to do the computations.

A different example: When I first started regular backups, I used gzip on default settings and thought my 5MB/s was 'normal'. As my network went
up by 100x, I was still getting <10MB/s in backup speed.  The bottleneck
was the compression -- even fast compressors like lzo limit backups to
less than 20-30MB/s.  Compare that to uncompressed speeds:  200-400MB/s.

At the very least, the Cygwin website should be using protocol-
independent links, meaning users accessing the website using https
aren't switched to http when they click on a link (i.e. link to
"//cygwin.com/path/to/page" rather than "https://cygwin.com/..."; or
"http://cygwin.com/...";).  But I agree with Brian: the Cygwin website
should use https everywhere unless there's some good, specific reason
why it's a bad idea.  And "TLS is slow" hasn't been a good reason for
years.
---
Compared to the latency it induces over the net, and the increases in net
speed, it's getting slower and slower and the penalty is getting worse
by the year.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]