I'll bite.<br><br>Some ISPs (e.g. Comcast) use transparent caching servers to speed up access to frequently-requested URLs. Using SSL for these connections precludes transparent caching, as your ISP (should) never see the full URL for an SSL request. Instead of responding quickly with a ready-to-go image from a server on their network, they have to pass the request on up to the original site. The original site may be considerably farther away (ping-wise) than the caching server. The original site may also experience considerably more load than your ISPs caching server (serving one batch of clients vs. the rest of the internet). SSL connections take longer to set up and tear down than normal TCP connections (handshaking, key exchange, etc). All of these factors add up to a client experience that is slower, but more resistant to logging and malicious packet injection. You trade some lost performance for some gained security. <br>
<br>Side note 1: "http" DTD references and "http-equiv" headers are not necessarily insecure URLs. Please be careful where you point your highlighter.<br><br>Side note 2: If I remember correctly,<b> even if a page or HTML document contains insecure http:// references</b>, those references will be fetched over and SSL connection if HTTPS Everywhere has a rule that matches the reference. (Example: If <a href="http://www.cnn.com">http://www.cnn.com</a> calls for an image from <a href="http://timewarnercdn.net/images/blahblahblah/omgwtfbbqsauce.jpg">http://timewarnercdn.net/images/blahblahblah/omgwtfbbqsauce.jpg</a> and HTTPS Everywhere has a rule for <a href="http://timewarnercdn.net">http://timewarnercdn.net</a> -> <a href="https://timewarnercdn.net">https://timewarnercdn.net</a>, the image <i>should </i>be fetched over an SSL connection. ) In other words, even "insecure" Facebook pictures can fetched over an SSL connection, albeit at a slower speed (see above).<br>
<br><br><br><div class="gmail_quote">On Sat, Sep 18, 2010 at 7:42 AM, Vegan <span dir="ltr"><<a href="mailto:vegan@riseup.net">vegan@riseup.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:18.0pt">EFF
HTTPS EVERYWHERE Firefox XPI Plug-in Performance using FACEBOOK!</span></p>
<p class="MsoNormal"><b><span style="font-size:18.0pt"> </span></b></p>
<p class="MsoNormal"><b><span style="font-size:18.0pt">FEEDBACK</span></b></p>
<p class="MsoNormal"><span style="font-size:18.0pt">After
downloading from the EFF website and having installed the Firefox XPI Plug-in called
“HTTPS Everywhere” version 0.2.2 in the Firefox version 3.6.10, running on a
Windows XP Pro SP3 operating system the following condition was experienced.</span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt">When
I select the option from the HTTPS EVERYWHERE application to use SSL on
FACEBOOK, it does NOT redirect the “active web content” that Facebook makes use
of. In fact, there is NO warning in Firefox, that “active web content” isn’t
using SSL on a SSL encrypted website, unlike Microsoft Internet Explorer,
tested in v6 and v7, which does pop up a security warning asking the browser
user if they want to display non secure items!</span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"><br></span><span style="font-size:18.0pt"></span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt">So
is the EFF HTTPS EVERYWHERE Firefox Plug-in looking like a big bank vault for
customers (Firefox users) with a gapping hole in the back side? </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt">Sure
enough, when one checks the “html code” on the Facebook web pages, there is
plenty of non secure URL’s and non secure active web content! </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"><br></span><span style="font-size:18.0pt"></span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt">An
additional issue when using the EFF HTTPS Everywhere was when attempting to
view any FACEBOOK photo album, which either doesn’t display completely or takes
a rather long time to display all of the photos (thumbnail views) with
additional F5 webpage refreshes required. </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt">Just
for the sake of testing, I tried using Facebook on different PC’s by switching
between “http” and “https” to see what happens. In all cases, when Facebook was
using SSL it had problems displaying photos, whereas non secure “http” was
blazing fast, without needing the web page to be refreshed. </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt">How
does using SSL prevent loading (displaying) photos that are sent encrypted
using SSL? I’m NOT a web designer, just take a look here below…</span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"><br></span><span style="font-size:18.0pt"></span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt">As
you see in the picture above inline, it shows some of the SSL traffic, showing
those photos to be encrypted, so why does using SSL only on Facebook, delay and
prevent (missing) photos from displaying. Let, me make this more clear, in that
some of the photos begin to load and display on the Facebook photo album
webpage, but many do NOT and some take a very long time, from seconds to
minutes, to half an hour, just for thumbnails to appear! Even when refreshing
the web page, which helps to display more photos, it still acts like something
freezes for the behavior of using SSL with Facebook. </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt">As
soon as SSL isn’t used, then those same thumbnail photos load and display
almost instantly, even a hundred of them at a time. So somehow those photos are
loaded in a manner that the active web content which isn’t SSL traffic produces
a delay? I don’t understand, but the PC is working good, other websites don’t
have this issue, when using SSL traffic. The same problem happens on multiple
different computers regarding FACEBOOK when using the SSL method. So it’s NOT
an issue with the PC, or the operating system, not the browsers, as different
ones were used on different computers and all demonstrated the same repeating
issue no matter. </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><b><span style="font-size:18.0pt">How
to secure Facebook?</span></b><span style="font-size:18.0pt">
So that Facebook is using full SSL/TLS using 256 bit in Firefox, including
active web content? When does a social website for which millions are using, get
serious with privacy security? </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt">Thanks
for reading!</span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt">Sincerely,</span></p>
<p class="MsoNormal"><span style="font-size:18.0pt">V</span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span></p>
</div>
</div>
<br>_______________________________________________<br>
HTTPS-everywhere mailing list<br>
<a href="mailto:HTTPS-everywhere@mail1.eff.org">HTTPS-everywhere@mail1.eff.org</a><br>
<a href="https://mail1.eff.org/mailman/listinfo/https-everywhere" target="_blank">https://mail1.eff.org/mailman/listinfo/https-everywhere</a><br>
<br></blockquote></div><br>