[162871] in North American Network Operators' Group
Re: HTTPS-everywhere vs. proxy caching
daemon@ATHENA.MIT.EDU (Andrew Latham)
Fri May 3 15:13:47 2013
In-Reply-To: <26650528.4928.1367607990956.JavaMail.root@benjamin.baylink.com>
Date: Fri, 3 May 2013 15:13:33 -0400
From: Andrew Latham <lathama@gmail.com>
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, May 3, 2013 at 3:06 PM, Jay Ashworth <jra@baylink.com> wrote:
> It occurs to me that I don't believe I've seen any discussion of the
> Unexpected Consequence of pervasive HTTPS replacing HTTP for unauthenticated
> sessions, like non-logged-in users browsing sites like Wikipedia.
>
> That traffic's not cacheable, is it? Proxy caches on services like
> mobile 3/4G, or smaller ISPs, or larger corporations can't cache it, I
> wouldn't think, which means both that they will see traffic increases,
> and that the end sites will as well.
>
> Has this been discussed and I missed it? Do I improperly understand
> transparent caching? Or is this just a bomb waiting to go off?
>
> I assume that Wikipedia themselves are on top of the idea that their
> in-house reverse-proxies won't be carrying that traffic (though I don't
> actually know what their architecture looks like anymore), but..
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth Baylink jra@baylink.com
> Designer The Things I Think RFC 2100
> Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
> St Petersburg FL USA #natog +1 727 647 1274
TLS/SSL can be applied at the loadbalancer/caching proxy for service
providers like Wikipedia. As you may already know products like
Apple's IPhone include CA that can allow groups like the DOD to do
chain-loading to allow their proxies to be MITM systems(super scary,
in more systems than the one mentioned.). Yes it is a bomb but only
from the ISP caching point of view, not the provider caching point of
view.
--
~ Andrew "lathama" Latham lathama@gmail.com http://lathama.net ~
