'S' for security could also stand for 'slow'
Researchers say time and energy are being wasted almost every second of every day, due entirely to the letter ‘S’.
An international team of researchers has quantified the value of the letter ‘S’ in HTTPS; the ‘secure’ variant of communications protocol HTTP (Hypertext Transfer Protocol).
A new paper, The Cost of the "S" in HTTPS (PDF), says that growing security concerns have seen many turn to HTTPS for better protection, but this comes with a price of more latency online, greater battery drain for some devices, and the potential loss of in-network value-added services.
HTTPS encryption is designed to protect information from “man-in-the-middle” attacks as it whizzes around our interconnected world. But the same functionality can work to slow down “middlebox” network appliances, such as firewalls.
The secure protocol is really taking off, with the study finding that “as of September 2014, as much as 50 per cent of YouTube's aggregate traffic volume is carried over HTTPS.”
“HTTPS accounts for 80 per cent of the upload volume in 2014; it was only 45.7 per cent in 2012.”
As the paper states, HTTPS “does not come for free”, and could actually “introduce overhead in terms of infrastructure costs, communication latency, data usage, and energy consumption”.
“Given the opaqueness of the encrypted communication, any in-network value added services requiring visibility into application layer content, such as caches and virus scanners, become ineffective,” the paper said.
“Most in-network services simply cannot function on encrypted data.”
But it may be just a warning for now, as the researchers also stressed that the “impact of these 'lost opportunities' is not clear”.
But HTTPS does not only affect in-network services - it can also impact latency and data usage.
“HTTPS requires an additional handshake between the client and the server in addition to the added computational cost of cryptographic operations,” the paper said.
“The benchmark shows that using HTTPS significantly increases load time.
“The extra latency introduced by HTTPS is not negligible, especially in a world where one second could cost $1.6 billion in sales,” it said.
Battery life is a concern too.
“It is immediately clear that energy consumption is strongly correlated to download time; this is not surprising, as leaving the radio powered up is costly,” the paper said.
“HTTPS has the potential to negatively impact battery life (particularly on mobile devices) due to the extra CPU time required for the cryptographic operations, and increased radio uptime due to longer downloads.”
While it appears that the 'S' is here to stay, the network community does need to work to avoid the negative repercussions of ubiquitous encryption.
To that end, the team said there were two parallel avenues of future work: First, low-level protocol enhancements to shrink the performance gap, like Google's ongoing efforts to achieve '0-RTT' handshakes.
Secondly, it proposes to restore in-network middlebox functionality to HTTPS sessions, with trusted proxies becoming an important part of the internet ecosystem.