I've had a heap of people pointing me to this post by @meyerweb and I want to add some thoughts in a tweet stream. Start by reading the post because it really is excellent and should remind us all of how different things are in other parts of the world
I want to make sure people don't see this as a reason not to do HTTPS so I've had a good chat to @meyerweb and want to put a few things in context. The first is this: caching in this fashion is the very definition of a "man in the middle" and has serious privacy ramifications.
It's clear why it's being done, but let that not cause us to lose sight of everyone's right to have private and secure communications. That said, there are a bunch of other angles to this:
One is that we're primarily talking about schools here and they control both the outbound connection and the client. There are dedicated devices designed for environments like this which can do HTTPS interception (and caching) by installing certs on the client.
Another is that whilst not being able to cache content without an interception appliance, students are still browsing the web. It's obviously slower, but they do still have access to content and when you think about it, it's already near impossible to browse without HTTPS:
No Google, no Wikipedia, no Facebook, no Twitter, no online email services, no Stack Overflow, no Reddit and no reading @meyerweb's blog post on the situation either! 74% of the world's web traffic is now encrypted and that's climbing *very* rapidly letsencrypt.org/stats/
The point of that last tweet is that it's rapidly becoming impossible to browse the web without HTTPS; nobody should read that post and then conclude they shouldn't secure their site lest it robs them of the lucrative rural Ugandan audience. I don't mean to trivialise that:
If that legitimately is your audience (or any other audience reliant on intercepting traffic and they can't do it over HTTPS) then clearly there's a valid discussion to be had about favouring accessibility over privacy. I want to acknowledge there's cases where that makes sense.
In my chat with @meyerweb he pointed out that people were indeed using Facebook and Google as well as reading news (which is now largely served over HTTPS) so this is not an "all or nothing discussion". He mentioned that video usage was frowned upon, which obviously makes sense.
One last thing - we're also getting better at making HTTPS faster, for example with 0-RTT in TLS 1.3 (although yes, it does also obviously require compatible clients): blog.cloudflare.com/introducing-0-…
If you're concerned about audiences in low-bandwidth locations, focus on website optimisation first. The average page load is going on 3MB, follow @meyerweb's lead and get rid of 90% of that if you want to make a real difference to everyone right now 😎 tools.pingdom.com/#!/dh15fO/http…
