Is https always a good idea?

Have you noticed how many large websites now use https for all their webpages? This has trended up in recent years as a reaction against increased malware and other attacks. It has reached the point that Chrome will show that a webpage is “insecure” if it just uses the default http. This is the padlock symbol on the left hand side of the address bar that shows the URL of the webpage.

Here’s the underlying issue. When http is used, and you fill out stuff on a page and press Submit (or similar actions), what is sent to the web server is plaintext. Anyone who gets your upload to relay onwards to the server can read it. Https prevents that.

But what about pages that are purely informational? You actually want as many to read those as possible. Especially if such a page has no boxes in which the reader types in text that is uploaded to the server.

In practice, many security experts now suggest you https all the pages on your site. Including those at Google, who makes Chrome.

This is an overreaction. You should only https pages where readers can input data to be sent to the server. And, if you are sure, perhaps only those pages where data might be sensitive.

2 reasons. First. I grew up with programming where we were taught that good coding meant reducing unnecessary computation. Your program was better if it achieved the same result with fewer steps. This far predates programming. Computer science is the bastard child of electrical engineering and mathemetics. Though each field often tries to claim CS as its sole child. In maths, a solution is considered more elegant if it has fewer steps than an alternative.

It’s not just maths. Talk to a chemist or physicist. In chemistry fewer steps often means higher yield because you lose reagent at each step. The fewer steps you do, the more product you get.

Second. Environment. The main reason. https is always more computation than http, given the same page. https is a way of encrypting data to be uploaded from the page, and for the server to decrypt it. There is a performance pernalty of about 5%. This is not magic. That penalty equates to using 5% more electricity on both the client computer and server.

Of course, most users don’t explicitly see this. But it adds up. The Internet uses 10% of the world’s electricity. 5% of 10% is 0.5%. A lot of electricity that is mostly wasted.

Think globally. Act locally.

It’s not just about recycling soda cans. Wasted electricity is needless global warming. You might know others who reduce their air travel because it is very energy intensive. Or drive smaller cars, electric or not.

Also, consider future trends in electricity use. Solar and wind power are rising rapidly. We might be on the verge of almost free electricity in much of the world in a few years. This means more use. And when electricity is used, more heat is generated, especially in data centers where web servers sit.

Much of the use is and will be good and necessary. Air conditioning for developing countries. To make their cities livable in hotter days and nights. Powering electric cars and planes, so petrochemicals can be used for other things.

But currently, https gets a free pass from such scrutiny.

Solutions

If you are a web coder, consider whether you really need all your webpages to use https. If many of those pages are informational only, then you have a 5% save you can take to your bosses. At the most basic level, your firm can support 5% more visitors for the same level of resource use at the data center that you are paying for.

If you read webpages and see this, maybe jot off a query to the site.

If you work at a group coding a browser (Chrome?), bring this up with your bosses. Do you want to be aiding and abetting global warming?

Replies from readers

Some readers suggested that Google will increase the ranking in their search results for sites that do https for all pages. But this is circular. Rather than have Google improve the logic of its rankings, this lets Google impose an arbitrary condition that is computationally and environmentally wasteful.

No one challenged my assertion about why https a page with no reader input. This is just wasteful. Unnecessary encryption and decryption. There is nothing for an evesdropper to harvest via a Man in the Middle attack. Some readers just handwaved saying there were other factors involved. If so, then elaborate why this makes https over all pages necessary to avoid MITM.

Some pointed out that if you go to a hotspot (WiFi) and go to a website that uses http, the hotspot could do ad injection on http pages. These are 3rd party ads on the top or sides on the page. The center of the page has the original read only page from the site that you wanted to go to. Sure, some readers might not want these ads. But others don’t mind. Someone else at the hotspot who sees ads injected might buy from those.

Plus. The ads are a source of income for the hotspot, which might be an indie coffeehouse. If most sites go all https, the ads can’t be injected. The hotspot host makes no money. Unless it can afford to subsidise the free hotspot with its other businesses, it might just remove the hotspot. If you are the developer imagining yourself as a hotspot user and wanting “privacy”, so you code all https, then a result can be no hotspot.

The other thing is that if you don’t prefer ads in sites, note that Google makes $billions off ads. It runs a vast network of ads which it inserts into 3rd party sites. When Google has Chrome mark sites as insecure if they have http pages, this can be seen as trying to suppress competing ad networks.

Dr Wes Boudville (wesboudville@gmail.com)

Founder Linket.info

Inventor. 20 US patents on cellphones. Founded linket.info for mobile brands for users. Linket competes against Twitch and YouTube. PhD physics.