2015-06-12
My pragmatic view of HTTPS versus caching
One of the criticisms of going all HTTPS on the web is that it pretty much destroys caching. As Aristotle Pagaltzis commented on my entry, caching somewhat obscures traffic flow by itself (depending on where the cache is and who is watching), and as other people have commented in various places (cf), caching can serve valuable bandwidth reduction purposes. I and other people advocating an all HTTPS world should not ignore or understate this. On the contrary we should be explicit and admit that by advocating all HTTPS we are throwing some number of people who use caching under the bus.
The problem is that there is no good choice; regardless of what we choose here someone is getting thrown under the bus. If we go HTTPS and lose caching, we throw cache users under the bus. But everything that stays HTTP throws a significant number of other people under the bus of ISP traffic inspection, interception, tampering, and general monetization through various means. Our only choice is who gets thrown under in what circumstances, and what the effects of getting run over by the bus are. We cannot in any way pretend that there are no downsides of staying with HTTP, because there clearly are and they are happening today.
The effects of losing caching are mostly that for some people web browsing gets slower and perhaps more expensive due to bandwidth charges. The effects of losing privacy and content integrity are that for lots of people, well, they lose privacy, have their activities tracked quite intrusively, have advertising shoved down their throat and sometimes have their browsing weaponized and so on.
Faced with this tradeoff, I pick throwing people using caching under the bus of slower access. Sorry, cache users, I regret that you're going to have this happen to you (at least until people develop some more sophisticated HTTPS-capable caches and systems), but as far as I'm concerned it's clearly the lesser of two evils (as seen from my position, which is biased in some ways).
(I will not go so far as saying that cache users who insist that everyone else continue to have traffic intercepted, monitored, and monetized in order for the cache users to have an easier time are being selfish, partly because of the cost issues. But sometimes I do sort of feel that way.)
Red Hat are marketing email spammers now (in the traditional way)
We used to use Red Hat Enterprise Linux (in our previous fileserver generation and in a few other roles), although we've wound up switching to CentOS. As part of having those RHEL machines we have a RHN account, which is registered with a specific email alias here. RHN uses that email address to do things like notify us about important security updates, machines not responding, and so on. Although in practice all of those are basically noise, that's okay; that's what we registered the email address for and RHN is only doing what we told it to.
The other day we got the following email to that address from a Red Hat address, sent from Red Hat's own SMTP servers:
Subject: Red Hat Forum: Build an Efficient and Agile IT Organization for the Future - On Behalf Red Hat
Dear Valued Client,
We would like thank you for attending our Mobile Enterprise Application Workshop. We hope you enjoyed it. Since may of the attendees have requested, we are pleased to share with you our upcoming forum you may be interested in.
Join our annual Red Hat Forum on June 18 , 2015 for an insightful morning with industry leading analysts from IDC [...]
This is not RHN notification email. More than that, the first paragraph is a further lie; we didn't (and haven't) attended any Red Hat 'Mobile Enterprise Application Workshop'. Oh, and this claims to have been sent from Red Hat's Canadian office but includes no unsubscribe link, which means that it is clearly in violation of recent Canadian anti-spam legislation on top of everything else.
At one level I'm not particularly surprised. Companies do this all the time, often although not exclusively as a result of address list creep. Red Hat is just the latest one, and why would I be surprised at that? Everyone screws you eventually (it's why modern email is such a hassle).
At another level I'm terribly disappointed. At one time I could think of Red Hat as clearly good guys, people who would never ever behave in such an unethical and frankly slimy way. Clearly those days are over now, as Red Hat has given me a clear and unambiguous sign that marketing is winning over morals. I'm not sure what I can expect next, but I'm sure I'm not going to like it.
(Maybe Red Hat marketing will win the argument that everyone who has ever submitted a RHEL related Bugzilla report is fair game for RHEL related marketing emails.)
PS: I sent email to Red Hat when we got this email. I have of course received no reply.
(This elaborates on my tweet at the time.)