
Migrating your site to HTTPS may be a bad idea - andrewwidjaja
https://medium.com/@andrewwidjaja/why-migrating-your-site-to-https-may-be-a-bad-idea-9d69d8c27fca
======
pfg
This article leaves out a couple of important things. First, session
resumption and TLS False Start reduce the number of round trips required for a
TLS handshake to one, both for new and returning clients. TLS 1.3 even allows
for zero-RTT handshakes (at the expensive of things like replay attack
protection).

> How do we reduce the time to establish a secure connection? The simplest way
> to solve this is to terminate the TLS connection close to the user using a
> CDN edge, but this would mean the data travelling between the CDN edge and
> the site’s server is unencrypted and thus not secure.

This is not correct. CDN edge nodes typically establish persistent connections
(HTTP keep-alive) with the backend servers, which would avoid extra TLS (and
TCP) handshakes.

------
HenryBemis
Ok.. 1 second delay.. yes that totally outweighs the concerns covered by
encryption, privacy, security and the ability not to be snooped by anyone "on
the way".

I know that there is a large attack surface (the connection ends being
compromised, the latest online bank-heist in Brazil), funky certificates, and
so on and so forth.. but going back from encryption because of 1 second??

------
patrickmn
I hope everyone enables TLS particularly now that LetsEncrypt has made it so
easy. If you're worried about latency, put your server in the region of the
world with the most traffic, and Don't Worry About It unless you see
measurably different bounce rates across regions, at which point the solution
should be to set up another server, not stripping TLS. That aside...

I'm curious if there's a difference between latency-related bounces on the
initial page load vs. the first interaction on the page. Take Google for
example: They lose users if search results come back slowly. But is the same
true if the front page loads in 500ms?

On that note, do non-technical users even realize that when they click a link,
they are waiting on the destination server to respond?

------
colinbartlett
I really cannot agree with this post at all. HTTPS is not an option. Full
stop. This post gives terrible advice and conflates two unrelated
requirements.

Yes, speed is important but decouple these two points. Nobody would say,
"Eating food might be a bad idea because food can make you fat."

------
cagataygurturk
Google announced that in a near future http sites would be marked as non-
secure by default. Also HTTP/2 is the future and requires HTTPS. I don’t know
why one would propagate the idea of staying at HTTP in this circumstance.

------
headconnect
When considering the problem is compounded by all the necessary resources
required to actually display the content the user is wanting to reach, I can't
help but think that the additional overhead for https is negligible in the
grand scheme of things.. Not sure what the data says on 4.5s vs 5s, but as a
user I would think slow is slow..

------
uwu
> [flagged]

really?

i thought flagging was for spam, not for super-downvoting articles you don't
agree with

how many legitimate posts have been hidden from me because people super-
downvoted it using flagging?

unless the posts are hidden manually by staff which i hope is the case

~~~
colinbartlett
Yeah that seems strange. I hope a mod can unflag this because there's nothing
spammy or off topic about it.

------
brudgers
One aspect of HTTPS is that using it more or less amounts to obtaining
permission. Theoretically, a site can provide its own certificate. In
practice, browsers will refuse the first request to connect to a site when the
certificate is not from a pre-approved list of certificate providers.

While it is generally possible to receive a free certificate from a trusted
provider today, that does not mean that things won't change in a month or a
year or five years.

------
sidcool
The advantages of HTTPS significantly outweigh plain text transport. A couple
second delay is nothing. Not convinced.

------
frik
On HN the comments are skewed towards TLS. The reason varies, some experienced
bad IPS that inject or replace ads, some are driven by an agenda, etc.

But in the real world when you travel around you will face HTTPS websites you
cannot access because your company fucked up the network (replaces certs),
countries force you to use software to replace the certs, country-wide
firewalls that make HTTPS ultra-slow.

Outside of the SV bubble, many sites just offer HTTP and HTTPS. And that's
good. After all, many websites just present some text and pics, and you don't
have to input any data at all - if you don't rely on some evil ISP, HTTP is
enough for that. And even Amazon.com was HTTP-only (beside the login page)
from 1994 to 2016. It's time to change your ISP, if you are unhappy with it.

------
pedrorijo91
even if it would take 10 more seconds, I would still go for HTTPS for sure.
Would you buy a new pc on a website without https? good luck buddy.

And who hosts servers in Australia? (lovely country, but a bit far from the
rest of the world no?). At least do the benchmark with servers/users from
USA/EU (and possibly Asia if you have enough visitors from there).

This title/post is clearly meant to create a rage post and get visibility.
Shame...

------
amyunus
No it is not

