Hacker News new | comments | show | ask | jobs | submit login
HTTPS is hurting users far away from your servers, and what to do about it (finkelstein.fr)
44 points by antoinefink 1 hour ago | hide | past | web | 35 comments | favorite





There is also another problem on how much and how often is Googlebot indexing your site because your site speed is one of the factors of so called Google index budget. My users are in Germany so my VPS is also in Germany to be fast for local user (~130ms for http reply), but for US Googlebot is my site slow (~420ms for http reply). So you are penalized also for this.

reply


Hi - I know some tools report a slow site in this case, but these reports are not accurate - don't believe them! Google is not that stupid ! :D

I am currently working as a dev in an SEO-Agency (in Austria), and we never believed this hypothesis - so we tested this once with a bunch of our sites:

When moving sites with a German speaking audience to a VPS in America, your rankings at google.de/google.at will decrease (slightly - the effect is not that big) - the other way around your rankings will improve (slightly).

However - even if your rankings would improve when moving to America I would recommend keeping your sites hosted in Europe: The increase in rankings will not offset the decrease in user satisfaction and therefore the decline in your conversion rates.

reply


couldn't you make the indexable portion of your site fast and static and make it go to a relevant local server once users log in?

reply


Isn't this somewhat compensated for by the extra credit Google gives you for using SSL?

I would also assume that Google is smart enough to take the physical location of your server into account when calculating how much penalty to apply in which searches. Sites that load fast in Germany should have higher ranks in searches from Germany.

reply


There are a couple of other things you can do with existing TLS technology that can improve your latency, e.g. using OCSP stapling, use modern crypto so browsers may use TLS false start, avoid too many ciphers or unnecessary certs in the chain to make the handshake smaller.

It's a bit older, but here's some info, much of it is still valid: https://istlsfastyet.com/

reply


If you're worried about a proprietary solution, you could host your own cache server in Australia or wherever your customers are having trouble.

reply


Yeah, at a $200/mo cost, you could spin up a few VMs on DigitalOcean, Vultr or LightSail which have decent bandwidth and cache from there.

Nice part about cloudflare though is that they can use anycast to determine location and then send the closest server IPs. For sub-$200/mo, you're not able to do that, you'd have to find a provider that could do it for you, I'm not sure anyone offers country-based anycast DNS alone.

EDIT: Looks like easyDNS enterprise may be able to do it, https://fusion.easydns.com/Knowledgebase/Article/View/214/7/... for about $12.75/mo too. Might be a decent way to brew your own mini caching CDN for fairly cheap.

reply


You can also use Route 53 for the same purpose, for a tiny premium on the standard rates for name resolution. (See latency based routing queries and geo DNS queries below, plus health checks for failover.)

https://aws.amazon.com/route53/pricing/

reply


One round trip over the course of the time that the user is using the same OS/browser installation isn't much.

The Cloudflare Railgun is an interesting solution, and one that could be implemented in the context of an SPA over a websockets connection. Or conceivably some other consumer of an API.

reply


I don't understand why I need to use https on a static marketing webpage. No login stuff, no JavaScript, nothing. Just straight up HTML and CSS. Right now I need to pay about $150 every year for something that's only used to satisfy Google PageRank (I can't use LetsEncrypt with my hosting provider). Why?

reply


Keeping it extremely high level:

Among other reasons, not encrypting traffic gives an opportunity for bad actors to replace content in transit to your end users when your end users are on compromised connections, such as rogue "free" wifi networks in airports or coffee shops, or even legitimate networks which have in some way been compromised, e.g. the ISPs of the world who decide to inject other content e.g. their own ads into unencrypted traffic.

The next question is usually "what could they possibly do, change a few pictures?"

They could inject malicious payloads, and for all your users would know, it would appear to them that it came from your site.

> I can't use LetsEncrypt with my hosting provider

Consider switching. For a static site, consider Gitlab; they do a good job of permitting LetsEncrypt.

---

I sincerely appreciate the question, though. I have marketing people ask me this question all the time in private who hesitate to do so in public because quite a few security types berate them for not doing something "obviously" more secure. It's not at all obvious to most of the world's web designers and content creators that a static site should be TLS'd until it's framed (heh) in this manner. The fact that you asked brings about a massive educational moment.

Anyway, consider switching hosts. :)

reply


Using netlify with ghpages is extremely fast because of their CDN, A+ on ssl labs, and free.

reply


May I add an example. Let's say you are a drug company and you offer a number of different drugs. With TLS I only know that you are interested in a drug that company produces or the company itself, without it I know you or someone you care about has erectile dysfunction.

reply


No that is not all an attacker could know. TLS does not provide confidentiality of the number of bytes transmitted. So in your example an attacker would only have to crawl the public website and find the pages matching in size to the ones you have been browsing.

reply


Good point I hadn't considered that.

reply


Here's why: Many ISPs hijack HTTP connections and inject ads and tracking JS into the page. If you don't use HTTPS, your page is screwed.

The Internet is not a safe place. We should aim for HTTPS EVERYWHERE.

reply


Also transcoding images to be terrible quality. If you care about your images not looking like crap, you should serve them over HTTPS.

reply


This is a really good point. Usually we talk about protecting against a third party, but the far more ordinary use case is protecting against the adversary right on the other side of your router.

reply


> Many ISPs

I think that's a bit sensationalist.

reply


It's not, it happens at a ton of coffee shops, on airplanes, etc, etc. Probably not ISPs you buy home internet from, but there are a lot.

reply


Maybe it is even worse when it is just few - people won't know that website creator isn't responsible for all of its content. And sometimes is hard to know who is the culprit like in https://news.ycombinator.com/item?id=12091900 .

Is there any solution other than totally killing HTTP that protects from HTTPS stripping attacks? HSTS won't protect first visit and STS preload lists can only be so large.

reply


Verizon, Comcast, and Rogers have done it, that we know of. In North America that's a very large proportion of traffic.

reply


Vodafone in the UK did this to me.

reply


Yeah, why are you using a bad hosting provider?

reply


Legacy and one of the only hosting providers in my country. I don't want to risk worse localized SEO by hosting it outside.

reply


I've been reading up on localisation SEO lately - as far as I understand, Google only uses "server IP is located in X country" as an indicator of where a site might be localised for, if it can't get any better information.

For example, if you're using a ccTLD for the domain, or if it's a generic-TLD and you declare a country in Google Webmaster Tools, that will be a much stronger weighting.

Of course, if that's wrong I'd love to know!

reply


Thank you. The actual web app is hosted on Linode in Frankfurt (using LetsEncrypt for https) so maybe I should host the marketing page there as well if that's true.

reply


Most of the answers you're getting aren't all that big of deal for your site. You still might want https though.

You should think about https for sites like yours the way you think about vaccines. SSL everywhere makes everyone safer, even though it doesn't have a tremendous impact on your own site.

Also, shameless plug, if you want really easy SSL you can use our new startup: https://fly.io. I'm not sure what country you're in, but we have a bunch of servers all over to help make it fast. :)

reply


If you have a marketing webpage, you might have a link to signup or login pages. If you can hijack the index page you'll also be able to hijack the links.

reply


Even if you don't have signup or login pages, a MITM attacker can add them. Or they could add a "buy now!" link with a convenient entry form for the user's bank details. The relevant question isn't what your page has that's so important, but rather what an attacker could make it have that would cause trouble.

reply


A related interesting topic is the possibility of secure cache servers that don't break the secure channel with "blind caches". Currently just a RFC draft and probably a long time from mass adoption, but nevertheless interesting.

https://tools.ietf.org/html/draft-thomson-http-bc-00, and Ericsson's article on it https://www.ericsson.com/thecompany/our_publications/ericsso...

reply


I really enjoyed the coverage of the same topic in High Performance Browser Networking[0]. It effectively explains the key performance influencers across various networks without being boring.

[0]: https://hpbn.co/

reply


This post seems misinformed on quite a few levels, but I'll just pick one to criticize:

What's wrong with the cloudflare free plan? You can host a static site on github pages with a custom domain and use the free cloudflare SSL cert.

reply


The "Railgun" feature mentioned in the article is only available in some paid plans. Using the free plan wouldn't keep an open connection between your servers and Cloudflare's. It does improve the situation by terminating users' handshakes early, using better links, warm DNS cache, etc. among servers. But the latency hard limit is still present between your server and CF. Skipping https between your server and CL is not an option either for any site transferring user data.

reply


Without Railgun, there's no guarantee that the CloudFlare nodes will have an open socket to your origin server, so your visitors may still have to pay the cost of the round-trip.

reply




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: