Profile picture
Troy Hunt @troyhunt
, 11 tweets, 4 min read Read on Twitter
I've had a heap of people pointing me to this post by @meyerweb and I want to add some thoughts in a tweet stream. Start by reading the post because it really is excellent and should remind us all of how different things are in other parts of the world
I want to make sure people don't see this as a reason not to do HTTPS so I've had a good chat to @meyerweb and want to put a few things in context. The first is this: caching in this fashion is the very definition of a "man in the middle" and has serious privacy ramifications.
It's clear why it's being done, but let that not cause us to lose sight of everyone's right to have private and secure communications. That said, there are a bunch of other angles to this:
One is that we're primarily talking about schools here and they control both the outbound connection and the client. There are dedicated devices designed for environments like this which can do HTTPS interception (and caching) by installing certs on the client.
Another is that whilst not being able to cache content without an interception appliance, students are still browsing the web. It's obviously slower, but they do still have access to content and when you think about it, it's already near impossible to browse without HTTPS:
No Google, no Wikipedia, no Facebook, no Twitter, no online email services, no Stack Overflow, no Reddit and no reading @meyerweb's blog post on the situation either! 74% of the world's web traffic is now encrypted and that's climbing *very* rapidly letsencrypt.org/stats/
The point of that last tweet is that it's rapidly becoming impossible to browse the web without HTTPS; nobody should read that post and then conclude they shouldn't secure their site lest it robs them of the lucrative rural Ugandan audience. I don't mean to trivialise that:
If that legitimately is your audience (or any other audience reliant on intercepting traffic and they can't do it over HTTPS) then clearly there's a valid discussion to be had about favouring accessibility over privacy. I want to acknowledge there's cases where that makes sense.
In my chat with @meyerweb he pointed out that people were indeed using Facebook and Google as well as reading news (which is now largely served over HTTPS) so this is not an "all or nothing discussion". He mentioned that video usage was frowned upon, which obviously makes sense.
One last thing - we're also getting better at making HTTPS faster, for example with 0-RTT in TLS 1.3 (although yes, it does also obviously require compatible clients): blog.cloudflare.com/introducing-0-…
If you're concerned about audiences in low-bandwidth locations, focus on website optimisation first. The average page load is going on 3MB, follow @meyerweb's lead and get rid of 90% of that if you want to make a real difference to everyone right now 😎 tools.pingdom.com/#!/dh15fO/http…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Troy Hunt
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!