From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 17584 invoked by alias); 27 Apr 2016 05:36:01 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 17565 invoked by uid 89); 27 Apr 2016 05:36:00 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.2 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy=H*F:U*cygwin, decade, encryption, H*r:192.168.3 X-HELO: Ishtar.sc.tlinx.org Received: from ishtar.tlinx.org (HELO Ishtar.sc.tlinx.org) (173.164.175.65) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Wed, 27 Apr 2016 05:35:49 +0000 Received: from [192.168.3.12] (Athenae [192.168.3.12]) by Ishtar.sc.tlinx.org (8.14.7/8.14.4/SuSE Linux 0.8) with ESMTP id u3R5ZiU5060002 for ; Tue, 26 Apr 2016 22:35:47 -0700 Message-ID: <57204FB0.7030201@tlinx.org> Date: Wed, 27 Apr 2016 10:18:00 -0000 From: Linda Walsh User-Agent: Thunderbird MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: Proposed patch for web site: update most links to HTTPS References: <1074467721.20160425030008@yandex.ru> <48360918.20160425084918@yandex.ru> <20160425124332.GO2345@dinwoodie.org> In-Reply-To: <20160425124332.GO2345@dinwoodie.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2016-04/txt/msg00615.txt.bz2 Adam Dinwoodie wrote: > Secure connections historically had a high overhead, sure, but that's > very rarely the case nowadays. Certainly my experince of loading the > Cygwin web page is that there's no perceptible difference between the > http and https versions. Adam Langley (a senior engineer at Google) > wrote an article back in 2010 about how TLS is now computationally > cheap[0]; it's only gotten cheaper since. ---- Google talking about benefits of https everywhere is a bit like the government telling us that having 'banks' create the rules for how we use money is "impartial". https slows down the entire web -- you think not by much -- and that's because no one knows what the speed is like if everything that could be cleartext, was. Sure crypto speedups have been added to HW, but speedups in communications HW has speed up as well. So encryption speed has gone up 100-200%, in the past decade, but in the past decade communication speeds have gone up from 100Mb-> 10Gb @ home and ~1Mb -> 50-100Mb over the external net -- that's a 1000% speedup @ home to a 5000-10000% speedup externally. That means more and more of that speed is being lost to crypto which can't keep up and be secure because it is expensive to do the computations. A different example: When I first started regular backups, I used gzip on default settings and thought my 5MB/s was 'normal'. As my network went up by 100x, I was still getting <10MB/s in backup speed. The bottleneck was the compression -- even fast compressors like lzo limit backups to less than 20-30MB/s. Compare that to uncompressed speeds: 200-400MB/s. > At the very least, the Cygwin website should be using protocol- > independent links, meaning users accessing the website using https > aren't switched to http when they click on a link (i.e. link to > "//cygwin.com/path/to/page" rather than "https://cygwin.com/..." or > "http://cygwin.com/..."). But I agree with Brian: the Cygwin website > should use https everywhere unless there's some good, specific reason > why it's a bad idea. And "TLS is slow" hasn't been a good reason for > years. --- Compared to the latency it induces over the net, and the increases in net speed, it's getting slower and slower and the penalty is getting worse by the year. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple