Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

HTTPS for Web sites

This site may earn commission on affiliate links.
Moderator note: Moved the first ten posts of this thread from a thread on the 2018.14 software release for the Model S.

CNN.com 35 secs, Latimes.com 30 secs with one bar of LTE.
CNN is a horrible web site for browser performance. First, it defaults to HTTPS which shouldn't be necessary for public info unless you are going to login with credentials. Then, they are so full of bloated ads and tracking elements (31 ads today) that often use their own SSL certs because they link to other sites. The result is your poor browser has to decrypt a ton of images swapping in several different keys. I have seen business grade Next Generation FireWalls like Palo-Alto peg to 100% CPU utilization if they turn on SSL inspection and just a single user goes to CNN.COM.
 
Last edited by a moderator:
CNN is a horrible web site for browser performance. First, it defaults to HTTPS which shouldn't be necessary for public info unless you are going to login with credentials.

In a few weeks from now, Google will begin penalizing websites that do not run SSL / HTTPS. Which means most websites will and should now start enforcing HTTPS, even if there are no credentials involved.
 
In a few weeks from now, Google will begin penalizing websites that do not run SSL / HTTPS. Which means most websites will and should now start enforcing HTTPS, even if there are no credentials involved.
Not accurate. Google will flag a site that tries to collect a password or credit card as non-secure if it doesn’t use HTTPS. Currently it shows as neutral. But this is only in their chrome browser so will have no effect on Tesla. Nor should it matter if CNN.com isn’t asking for login or money. Below is an article on it.

Google Is Requiring HTTPS for Secure Data in Chrome | SEJ
 
Not accurate. Google will flag a site that tries to collect a password or credit card as non-secure if it doesn’t use HTTPS. Currently it shows as neutral. But this is only in their chrome browser so will have no effect on Tesla. Nor should it matter if CNN.com isn’t asking for login or money. Below is an article on it.

Google Is Requiring HTTPS for Secure Data in Chrome | SEJ

Actually, this article you link is outdated.

Here's a more recent article from the same website explaining why every web publisher should switch to HTTPS, regardless of the content of the website: Google Sets Deadline for HTTPS and Warns Publishers to Upgrade Soon - Search Engine Journal
 
There should be no reason to not use HTTPS for every page. There are a lot of reasons for enforcing encryption anyway regardless of content.

Symmetric encryption like HTTPS uses is really fast. (except the first few assymetric kB for the SSL certificate verification, but that is not much data). Modern CPUs, like the one MCU2 hopefully uses, even have dedicated instructions for fast hardware accelerated decryption/encryption using symmetrical keys. MCU1 probably don't have that.
 
  • Like
Reactions: Axael
There should be no reason to not use HTTPS for every page. There are a lot of reasons for enforcing encryption anyway regardless of content.

Symmetric encryption like HTTPS uses is really fast. (except the first few assymetric kB for the SSL certificate verification, but that is not much data). Modern CPUs, like the one MCU2 hopefully uses, even have dedicated instructions for fast hardware accelerated decryption/encryption using symmetrical keys. MCU1 probably don't have that.

I'm not suggesting SSL is bad. My point is that CNN.COM has an excessively busy and complicated home page that is hard for the Tesla browser to parse through for several reasons. For fun I opened their home page today on a Mac Firefox browser running through a BlueCoat proxy with SSL intercept turned on. That one machine created 169 connections to 93 different locations, the vast majority of them were for ad content over HTTPS so a lot of different keys were needed to decrypt it all. A desktop machine can get that done (especially with ad block plug-ins), but the Tesla browser struggles. If you want news on your Tesla browser, pick a site that doesn't bombard you with encrypted ads and you will have better performance.

My side frustration is that the purpose of that encryption is to protect the ad companies privacy, not yours. You may trust CNN to deliver safe content, but do you trust the 92 other vendors you are auto-linked to? Keep in mind when they use SSL, your Next Gen firewall is not likely going to catch any malicious code they send you.
Screenshot 2018-04-24 08.34.45.png
 
Actually, this article you link is outdated.

Here's a more recent article from the same website explaining why every web publisher should switch to HTTPS, regardless of the content of the website: Google Sets Deadline for HTTPS and Warns Publishers to Upgrade Soon - Search Engine Journal

Thanks for the updated link! However, this is still only about how Google Chrome browser will react when it hits a non encrypted site. Nothing changes for Safari, FireFox, Internet Explorer, or the Tesla Browser. I do agree that Chrome has a large market share and web sites will likely start turning on SSL to avoid Chrome customers getting the insecure message and I have no problem with that, as long as it is implemented well.
 
I'm not suggesting SSL is bad. My point is that CNN.COM has an excessively busy and complicated home page that is hard for the Tesla browser to parse through for several reasons. For fun I opened their home page today on a Mac Firefox browser running through a BlueCoat proxy with SSL intercept turned on. That one machine created 169 connections to 93 different locations, the vast majority of them were for ad content over HTTPS so a lot of different keys were needed to decrypt it all. A desktop machine can get that done (especially with ad block plug-ins), but the Tesla browser struggles. If you want news on your Tesla browser, pick a site that doesn't bombard you with encrypted ads and you will have better performance.

My side frustration is that the purpose of that encryption is to protect the ad companies privacy, not yours. You may trust CNN to deliver safe content, but do you trust the 92 other vendors you are auto-linked to? Keep in mind when they use SSL, your Next Gen firewall is not likely going to catch any malicious code they send you. View attachment 296331

I agree, what I was saying is that it will eventually become standard for websites to run on HTTPS only, quite soon.
Now, indeed the CNN.com website might not be the best website to test the Tesla browser indeed, but that's not really related to HTTPS, it's their specific website being awfully coded / developped. :/
 
Thanks for the updated link! However, this is still only about how Google Chrome browser will react when it hits a non encrypted site. Nothing changes for Safari, FireFox, Internet Explorer, or the Tesla Browser. I do agree that Chrome has a large market share and web sites will likely start turning on SSL to avoid Chrome customers getting the insecure message and I have no problem with that, as long as it is implemented well.

Sure, but as they're saying, it could lead users to leave the website because of the warning. And we don't know yet if other browsers will follow the same rule one day or another - or even if Google won't try at one point to change its algorythms in order to "punish" websites not using SSL in their search results... (and I actually won't be surprised if that's happening) :p
 
I'm not suggesting SSL is bad. My point is that CNN.COM has an excessively busy and complicated home page that is hard for the Tesla browser to parse through for several reasons. For fun I opened their home page today on a Mac Firefox browser running through a BlueCoat proxy with SSL intercept turned on. That one machine created 169 connections to 93 different locations, the vast majority of them were for ad content over HTTPS so a lot of different keys were needed to decrypt it all. A desktop machine can get that done (especially with ad block plug-ins), but the Tesla browser struggles. If you want news on your Tesla browser, pick a site that doesn't bombard you with encrypted ads and you will have better performance.

My side frustration is that the purpose of that encryption is to protect the ad companies privacy, not yours. You may trust CNN to deliver safe content, but do you trust the 92 other vendors you are auto-linked to? Keep in mind when they use SSL, your Next Gen firewall is not likely going to catch any malicious code they send you. View attachment 296331
That is pretty interesting actually. I never considered that all that was going on "under the hood".
Another solution to this is don't look at CNN for actual news. This whole media thing is a sad state of affairs.... JS.
 
It's enough just to time for the work of your site, roll up updates and connect the verified protocols. And all will be well. Well, sometimes you can attract programmers and designers from outside, if you do not get something yourself.