[Nottingham] How ISP shenanigans hampers your browsing experience.

Wed Jan 7 09:29:41 UTC 2015

* on the Tue, Jan 06, 2015 at 12:03:35PM -0800, Michael Quaintance wrote:

>> I think the point is that in the not too distant future, if you visit a
>> website over HTTPS, then you'll probably be using SPDY/HTTPv2, but if
>> you visit one over HTTP you'll be stuck on HTTPv1, without all the nice
>> pipelining and compression stuff [1]. So, although it is not strictly a
>> "HTTP vs HTTPS" test, it *is* a test comparing what you will see in the
>> real World when visiting a HTTP website vs what you will see when visiting
>> an average HTTPS website once SPDY/HTTPv2 gain traction [2].
>
> Not really, simply because the sticking plasters that are used today
> to improve performance of high-traffic HTTP/1.1 sites will likely
> still work and still be used when SPDY or HTTP/2 are more prevalent.
> The test ignores these which downplays the speed of the HTTP part of
> the test. Certainly, HTTPS sites will not be significantly slower and
> will likely be a little to a lot faster.

I don't think many websites use these techniques to speed things up to be
honest. Things like domain sharding, css sprites, minification, gzip
compression, cookie-less domains, async javascript loading and expires
headers. Heck, most sites seem to have no problem with pulling in 50 images
for a single page load, and content from 15 different domains to get social
buttons and tracking scripts added to their sites, with no thought to the
dismal performance that will lead to. Very few website designers and
sysadmins seem to be aware that these issues even exist, let alone how to
deal with them. The good thing about HTTPv2 is that it deals with some of
these issues transparently such that neither the sysadmin nor the website
designer needs to do anything to get direct and visible benefits.

>> [2] It shouldn't take long for SPDY/HTTPv2 to become the majority of
>> HTTPS traffic. All it requires is for admins to upgrade their web servers
>> and for people to upgrade their web browsers.

> "People to upgrade their web browsers" was the fatal flaw in any web
> innovation not so long ago, but with auto updates of Chrome, Firefox,
> Safari, etc that's not such a problem any more.
> 
> What I'm not seeing in the real world but I did predict some time ago
> (and could still happen) is traffic shaping to slow encrypted traffic
> so as to hide the DPI on unencrypted traffic and possibly even to
> hamper HTTPS solely to put people off using it.

I think that would be a very risky thing for any ISP to do in the UK. If
they were found out, (and they would be), it would be very difficult for them
to justify it. They would have to build a massive whitelist too; there are a
lot of big websites out there now which only work over HTTPS. People are going
to be pissed off if their ISP makes it difficult for them to do online banking,
use their social networks, or check their email.

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20150107/82f59633/attachment.pgp>