This is the mail archive of the
mailing list for the Cygwin project.
Re: Proposed patch for web site: update most links to HTTPS
- From: Linda Walsh <cygwin at tlinx dot org>
- To: cygwin at cygwin dot com
- Date: Tue, 26 Apr 2016 22:35:44 -0700
- Subject: Re: Proposed patch for web site: update most links to HTTPS
- Authentication-results: sourceware.org; auth=none
- References: <BL2PR03MB228A4FE7B2CCA51E5FF5163DF610 at BL2PR03MB228 dot namprd03 dot prod dot outlook dot com> <1074467721 dot 20160425030008 at yandex dot ru> <BL2PR03MB22817533DCF96CD385BD883DF620 at BL2PR03MB228 dot namprd03 dot prod dot outlook dot com> <48360918 dot 20160425084918 at yandex dot ru> <20160425124332 dot GO2345 at dinwoodie dot org>
Adam Dinwoodie wrote:
Secure connections historically had a high overhead, sure, but that's
very rarely the case nowadays. Certainly my experince of loading the
Cygwin web page is that there's no perceptible difference between the
http and https versions. Adam Langley (a senior engineer at Google)
wrote an article back in 2010 about how TLS is now computationally
cheap; it's only gotten cheaper since.
Google talking about benefits of https everywhere is a bit like
the government telling us that having 'banks' create the rules
for how we use money is "impartial".
https slows down the entire web -- you think not by much -- and that's
because no one knows what the speed is like if everything that could
be cleartext, was. Sure crypto speedups have been added to HW, but
speedups in communications HW has speed up as well. So encryption speed
has gone up 100-200%, in the past decade, but in the past decade
communication speeds have gone up from 100Mb-> 10Gb @ home and
~1Mb -> 50-100Mb over the external net -- that's a 1000% speedup @ home
to a 5000-10000% speedup externally. That means more and more
of that speed is being lost to crypto which can't keep up and be secure
because it is expensive to do the computations.
A different example: When I first started regular backups, I used gzip on
default settings and thought my 5MB/s was 'normal'. As my network went
up by 100x, I was still getting <10MB/s in backup speed. The bottleneck
was the compression -- even fast compressors like lzo limit backups to
less than 20-30MB/s. Compare that to uncompressed speeds: 200-400MB/s.
At the very least, the Cygwin website should be using protocol-
independent links, meaning users accessing the website using https
aren't switched to http when they click on a link (i.e. link to
"//cygwin.com/path/to/page" rather than "https://cygwin.com/..." or
"http://cygwin.com/..."). But I agree with Brian: the Cygwin website
should use https everywhere unless there's some good, specific reason
why it's a bad idea. And "TLS is slow" hasn't been a good reason for
Compared to the latency it induces over the net, and the increases in net
speed, it's getting slower and slower and the penalty is getting worse
by the year.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple