HTTPS-everywhere vs. proxy caching

Andrew Latham lathama at gmail.com
Fri May 3 19:13:33 UTC 2013


On Fri, May 3, 2013 at 3:06 PM, Jay Ashworth <jra at baylink.com> wrote:
> It occurs to me that I don't believe I've seen any discussion of the
> Unexpected Consequence of pervasive HTTPS replacing HTTP for unauthenticated
> sessions, like non-logged-in users browsing sites like Wikipedia.
>
> That traffic's not cacheable, is it?  Proxy caches on services like
> mobile 3/4G, or smaller ISPs, or larger corporations can't cache it, I
> wouldn't think, which means both that they will see traffic increases,
> and that the end sites will as well.
>
> Has this been discussed and I missed it?  Do I improperly understand
> transparent caching?  Or is this just a bomb waiting to go off?
>
> I assume that Wikipedia themselves are on top of the idea that their
> in-house reverse-proxies won't be carrying that traffic (though I don't
> actually know what their architecture looks like anymore), but..
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth                  Baylink                       jra at baylink.com
> Designer                     The Things I Think                       RFC 2100
> Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
> St Petersburg FL USA               #natog                      +1 727 647 1274


TLS/SSL can be applied at the loadbalancer/caching proxy for service
providers like Wikipedia.  As you may already know products like
Apple's IPhone include CA that can allow groups like the DOD to do
chain-loading to allow their proxies to be MITM systems(super scary,
in more systems than the one mentioned.).  Yes it is a bomb but only
from the ISP caching point of view, not the provider caching point of
view.

-- 
~ Andrew "lathama" Latham lathama at gmail.com http://lathama.net ~



More information about the NANOG mailing list