TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

HTTPS for Web sites

Discussion in 'Off Topic' started by Bumper, Apr 23, 2018.

  1. Bumper

    Bumper Member

    Joined:
    Jul 19, 2017
    Messages:
    124
    Location:
    Alexandria, VA
    #1 Bumper, Apr 23, 2018
    Last edited by a moderator: Apr 24, 2018
    Moderator note: Moved the first ten posts of this thread from a thread on the 2018.14 software release for the Model S.

    CNN is a horrible web site for browser performance. First, it defaults to HTTPS which shouldn't be necessary for public info unless you are going to login with credentials. Then, they are so full of bloated ads and tracking elements (31 ads today) that often use their own SSL certs because they link to other sites. The result is your poor browser has to decrypt a ton of images swapping in several different keys. I have seen business grade Next Generation FireWalls like Palo-Alto peg to 100% CPU utilization if they turn on SSL inspection and just a single user goes to CNN.COM.
     
  2. Axael

    Axael Member

    Joined:
    Feb 15, 2017
    Messages:
    135
    Location:
    Belgium
    In a few weeks from now, Google will begin penalizing websites that do not run SSL / HTTPS. Which means most websites will and should now start enforcing HTTPS, even if there are no credentials involved.
     
    • Like x 2
  3. Bumper

    Bumper Member

    Joined:
    Jul 19, 2017
    Messages:
    124
    Location:
    Alexandria, VA
    Not accurate. Google will flag a site that tries to collect a password or credit card as non-secure if it doesn’t use HTTPS. Currently it shows as neutral. But this is only in their chrome browser so will have no effect on Tesla. Nor should it matter if CNN.com isn’t asking for login or money. Below is an article on it.

    Google Is Requiring HTTPS for Secure Data in Chrome | SEJ
     
  4. Axael

    Axael Member

    Joined:
    Feb 15, 2017
    Messages:
    135
    Location:
    Belgium
    Actually, this article you link is outdated.

    Here's a more recent article from the same website explaining why every web publisher should switch to HTTPS, regardless of the content of the website: Google Sets Deadline for HTTPS and Warns Publishers to Upgrade Soon - Search Engine Journal
     
    • Like x 2
  5. ChrML

    ChrML Member

    Joined:
    Feb 6, 2017
    Messages:
    563
    Location:
    Norway
    There should be no reason to not use HTTPS for every page. There are a lot of reasons for enforcing encryption anyway regardless of content.

    Symmetric encryption like HTTPS uses is really fast. (except the first few assymetric kB for the SSL certificate verification, but that is not much data). Modern CPUs, like the one MCU2 hopefully uses, even have dedicated instructions for fast hardware accelerated decryption/encryption using symmetrical keys. MCU1 probably don't have that.
     
    • Like x 1
  6. Bumper

    Bumper Member

    Joined:
    Jul 19, 2017
    Messages:
    124
    Location:
    Alexandria, VA
    I'm not suggesting SSL is bad. My point is that CNN.COM has an excessively busy and complicated home page that is hard for the Tesla browser to parse through for several reasons. For fun I opened their home page today on a Mac Firefox browser running through a BlueCoat proxy with SSL intercept turned on. That one machine created 169 connections to 93 different locations, the vast majority of them were for ad content over HTTPS so a lot of different keys were needed to decrypt it all. A desktop machine can get that done (especially with ad block plug-ins), but the Tesla browser struggles. If you want news on your Tesla browser, pick a site that doesn't bombard you with encrypted ads and you will have better performance.

    My side frustration is that the purpose of that encryption is to protect the ad companies privacy, not yours. You may trust CNN to deliver safe content, but do you trust the 92 other vendors you are auto-linked to? Keep in mind when they use SSL, your Next Gen firewall is not likely going to catch any malicious code they send you. Screenshot 2018-04-24 08.34.45.png
     
    • Informative x 2
    • Like x 1
  7. Bumper

    Bumper Member

    Joined:
    Jul 19, 2017
    Messages:
    124
    Location:
    Alexandria, VA
    Thanks for the updated link! However, this is still only about how Google Chrome browser will react when it hits a non encrypted site. Nothing changes for Safari, FireFox, Internet Explorer, or the Tesla Browser. I do agree that Chrome has a large market share and web sites will likely start turning on SSL to avoid Chrome customers getting the insecure message and I have no problem with that, as long as it is implemented well.
     
  8. Axael

    Axael Member

    Joined:
    Feb 15, 2017
    Messages:
    135
    Location:
    Belgium
    I agree, what I was saying is that it will eventually become standard for websites to run on HTTPS only, quite soon.
    Now, indeed the CNN.com website might not be the best website to test the Tesla browser indeed, but that's not really related to HTTPS, it's their specific website being awfully coded / developped. :/
     
  9. Axael

    Axael Member

    Joined:
    Feb 15, 2017
    Messages:
    135
    Location:
    Belgium
    Sure, but as they're saying, it could lead users to leave the website because of the warning. And we don't know yet if other browsers will follow the same rule one day or another - or even if Google won't try at one point to change its algorythms in order to "punish" websites not using SSL in their search results... (and I actually won't be surprised if that's happening) :p
     
  10. DoctorG

    DoctorG Member

    Joined:
    Oct 22, 2017
    Messages:
    22
    Location:
    Midlothian, VA USA
    That is pretty interesting actually. I never considered that all that was going on "under the hood".
    Another solution to this is don't look at CNN for actual news. This whole media thing is a sad state of affairs.... JS.
     
  11. HarmonyOne

    HarmonyOne New Member

    Joined:
    Jul 1, 2018
    Messages:
    4
    Location:
    Alabama
    It's enough just to time for the work of your site, roll up updates and connect the verified protocols. And all will be well. Well, sometimes you can attract programmers and designers from outside, if you do not get something yourself.
     
  12. Kestes

    Kestes Member

    Joined:
    Jun 26, 2018
    Messages:
    7
    Location:
    Alabama
    Is it really a problem to connect a cloud of flames? To put the protected protocol? It's simple. And if you need an update to the site, you can simply order it - Ecommerce Web Site Builder - Create an Online Store | Niklex . And Google's sanctions will not be so terrible, or the danger of the site falling.
     

Share This Page

  • About Us

    Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.
  • Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


    SUPPORT TMC