Increase the average data payload by about 80% due to the encryption; pages will load slower.
I think that's false. The algorithms do a 1:1 transform in place, rather than an expand the data size. So the same bandwidth. The usual reason for expanding encrypted data is if you have to apply an encoding like BASE64 (e.g. to store in a database character field that requires printable characters), but that's not required for https encryption.
When Google went to https, they didn't buy any more servers to handle that.
Netflix also went to https. If the data was going to be larger, they obviously would be hit huge given the size of the files they move they are completely dependant upon bandwidth.
The main increase is the SSL handshake, then 1% for cpu load (both browser and server), not bandwidth.
but, http2 solved a few performance issues with https, when compared to http/1.1.
For a dramatic example, see
https://www.httpvshttps.com/
Prevent your browser from caching many elements like pictures, gifs, banners etc; pages will load slower.
As stated that's false. Browsers cache static files (pictures, javascript, css, etc) based on the URL -- for both http and https.
(websites can request that static files not be cached, and browsers can be set to not cache files. The latest versions of IE default to deleting the cache whenever the browser is closed)
If you use cloudfare to do the SSL, then there's no difference in caching at cloudfare.
If you do https on your own servers, and have cloudfare in between, then cloudfare can no longer cache static files.
Not increase the message security since this is a public forum.
You're right, there's no point in encryption to protect the top secret confidentiality of the absolutely public posts.
Just the userid/password logon.
Not prevent man in the middle attacks because this site's infrastructure is visible to the employees of Cloudflare in their Newark, New Jersey data center.
True-ish. There are a bunch of people you have to trust:
- yourself, that you didn't do something that left viruses, keystroke loggers (beyond the ones websites use), spyware, and everything else on your own computer
- the writers of {chrome, firefox, internet explorer, safari, etc} that they haven't done things that are bad
- police and three-letter-acronym companies aren't logging your stuff
- NSA, that they haven't cracked https
- the website configure person, that they aren't allowing cypher suites and TLS settings that are known to be vulnerable
- the website forum software writers
- as you say, cloudfare employees
- the certification authority (certificate vendor)
- and of course the hosting company
I don't know about cloudfare, but amazon aws went to a fair bit of trouble to ensure that their employees couldn't see what customers put on their servers -- unless customers configured their security as public.
But other than the above list of known entities, the whole point of ssl/https is that there isn't someone the website owner (e.g. jwirecom109) hasn't heard of being in the middle. PARANOIA: Filtering out disapproved pages, replacing content. Monitoring content as its created using push protocols, rather than less efficient pull protocols. Logging who sees which content.
For example, you no longer have to trust your ISP.
