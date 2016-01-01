Hacker News new | comments | show | ask | jobs | submit login
[flagged] Migrating your site to HTTPS may be a bad idea (medium.com)
13 points by andrewwidjaja 214 days ago | hide | past | web | 13 comments | favorite



This article leaves out a couple of important things. First, session resumption and TLS False Start reduce the number of round trips required for a TLS handshake to one, both for new and returning clients. TLS 1.3 even allows for zero-RTT handshakes (at the expensive of things like replay attack protection).

> How do we reduce the time to establish a secure connection? The simplest way to solve this is to terminate the TLS connection close to the user using a CDN edge, but this would mean the data travelling between the CDN edge and the site’s server is unencrypted and thus not secure.

This is not correct. CDN edge nodes typically establish persistent connections (HTTP keep-alive) with the backend servers, which would avoid extra TLS (and TCP) handshakes.


Ok.. 1 second delay.. yes that totally outweighs the concerns covered by encryption, privacy, security and the ability not to be snooped by anyone "on the way".

I know that there is a large attack surface (the connection ends being compromised, the latest online bank-heist in Brazil), funky certificates, and so on and so forth.. but going back from encryption because of 1 second??


I hope everyone enables TLS particularly now that LetsEncrypt has made it so easy. If you're worried about latency, put your server in the region of the world with the most traffic, and Don't Worry About It unless you see measurably different bounce rates across regions, at which point the solution should be to set up another server, not stripping TLS. That aside...

I'm curious if there's a difference between latency-related bounces on the initial page load vs. the first interaction on the page. Take Google for example: They lose users if search results come back slowly. But is the same true if the front page loads in 500ms?

On that note, do non-technical users even realize that when they click a link, they are waiting on the destination server to respond?


I really cannot agree with this post at all. HTTPS is not an option. Full stop. This post gives terrible advice and conflates two unrelated requirements.

Yes, speed is important but decouple these two points. Nobody would say, "Eating food might be a bad idea because food can make you fat."


Google announced that in a near future http sites would be marked as non-secure by default. Also HTTP/2 is the future and requires HTTPS. I don’t know why one would propagate the idea of staying at HTTP in this circumstance.


When considering the problem is compounded by all the necessary resources required to actually display the content the user is wanting to reach, I can't help but think that the additional overhead for https is negligible in the grand scheme of things.. Not sure what the data says on 4.5s vs 5s, but as a user I would think slow is slow..


> [flagged]

really?

i thought flagging was for spam, not for super-downvoting articles you don't agree with

how many legitimate posts have been hidden from me because people super-downvoted it using flagging?

unless the posts are hidden manually by staff which i hope is the case


Yeah that seems strange. I hope a mod can unflag this because there's nothing spammy or off topic about it.


One aspect of HTTPS is that using it more or less amounts to obtaining permission. Theoretically, a site can provide its own certificate. In practice, browsers will refuse the first request to connect to a site when the certificate is not from a pre-approved list of certificate providers.

While it is generally possible to receive a free certificate from a trusted provider today, that does not mean that things won't change in a month or a year or five years.


The advantages of HTTPS significantly outweigh plain text transport. A couple second delay is nothing. Not convinced.


On HN the comments are skewed towards TLS. The reason varies, some experienced bad IPS that inject or replace ads, some are driven by an agenda, etc.

But in the real world when you travel around you will face HTTPS websites you cannot access because your company fucked up the network (replaces certs), countries force you to use software to replace the certs, country-wide firewalls that make HTTPS ultra-slow.

Outside of the SV bubble, many sites just offer HTTP and HTTPS. And that's good. After all, many websites just present some text and pics, and you don't have to input any data at all - if you don't rely on some evil ISP, HTTP is enough for that. And even Amazon.com was HTTP-only (beside the login page) from 1994 to 2016. It's time to change your ISP, if you are unhappy with it.


even if it would take 10 more seconds, I would still go for HTTPS for sure. Would you buy a new pc on a website without https? good luck buddy.

And who hosts servers in Australia? (lovely country, but a bit far from the rest of the world no?). At least do the benchmark with servers/users from USA/EU (and possibly Asia if you have enough visitors from there).

This title/post is clearly meant to create a rage post and get visibility. Shame...


No it is not




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: