2

Living in Syria, I feel really unhappy when a (Facebook, G+, Twitter... etc) plugin doesn't work on 90% of the web.

The problem is that these (social) websites are not welcome in Syria (gov decisions), but still work perfectly using https. However, because their plugins use relative protocols, and most websites use http, then these plugins will eventually try (and fail) to load using http.

The question is: Why ever use relative protocols if you can use https?, isn't it always better to use https and have your users' data transferred securely?

I don't think giant websites care about https overhead, so what am I missing about the whole thing?

Community
  • 1
  • 1
Tamer Shlash
  • 9,314
  • 5
  • 44
  • 82
  • Browsers often warn about mixed HTTP and HTTPS content on the pages. – Barmar Dec 29 '13 at 17:01
  • Check out this answer as to why SO isn't all HTTPS - a couple of years old but some of the points will be general to a lot of sites: http://meta.stackexchange.com/a/69177/241749 – SilverlightFox Dec 30 '13 at 11:33

2 Answers2

1

The only reason I find for not using SSL (HTTPS) is performance if you want to have responses within say 300ms.

The SSL hanshake could take a few rount-trip-time's that could add from very few ms in the same region (say client and server both in US East) up to 600 ms or more sometimes. I'm in South America so it could take more sometimes with servers in US.

Even when the sequence diagram looks simple, TCP has an initial congestion window that makes the protocol require at least one more RTT (round trip time) for the server to send the complete certificate to the client. Except for servers that change this initial congestion window (cwnd).

Additionally, the SSL protocol is more complex and there could be a "Change Cipher Spec message" that requires an additional RTT.

After SSL handshake, the extra work happens in the server and client encrypting and decrypting with a symmetric key. But it's not critical in my experience (maybe 5% of total CPU utilization).

My comment is useful for web services. Now, if we talk about web sites, I'd do everything with HTTPS.

rodolk
  • 5,606
  • 3
  • 28
  • 34
0

when we look at the https squence diagram http://blog.expressionsoftware.com/2011/02/https-sequence-diagram.html

we see that only the client's first requests (the handshaking step) is the overhead.

so I agree with you it is always better to use https...

maybe the missing thing is you still don't want to believe that people are lazy and don't care about the quality :)

this can be read too... http://www.codinghorror.com/blog/2012/02/should-all-web-traffic-be-encrypted.html

Serdar
  • 1,416
  • 2
  • 17
  • 43