> That's true only if your ISP is using an intercepting proxy.
Right -- they are a large corporation. You don't think they couldn't be ordered to do so and say nothing under the Patriot act? Do you disbelieve that root-ca's in the US or other monitoring countries couldn't be forced to give out subordinated CA's to install @ ISP monitoring sites?
> Blocking "by site" is still possible with HTTPS...blocking at a finer level than "by
> site" or "intermediate caching" still requires MITM.
I've always blocked by site and media type and for any unclarities, I looked at the http code. That's no longer possible unless a user sets up MITM proxying that
lowers security for all https sites (finance, et al.). While I can install exceptions to
whitelist sites that shouldn't have content cached, they are still decrypted.
One has to know content type and size to effectively cache anything. Right now, going back for the past 3500 requests, I see stats of:
(mem = in-squid-memory)
mem: 8% (313/3514), 16% (11M/70M)
dsk: 23% (842/3514), 10% (7.2M/70M)
tot: 32% (1155/3514), 26% (19M/70M)
& for double that:
mem: 5% (367/7025), 9% (12M/126M)
dsk: 21% (1523/7025), 14% (18M/126M)
tot: 26% (1890/7025), 23% (29M/126M)
without MITM caching, those numbers drop to near 0 for HTTPS sites. Those cached objects serve for multiple browsers, OS's, machines and users. Losing ability to cache 25-30% hurts interactive use and raises latency. Simply by going w/HTTPS instead of HTTP creates increased server load and increased network latencies. Sites that provide many static images can be affected more heavily. But my local network cache provides 128G of space (55% used) and can store large iso images that can be reserved months later. W/my monthly traffic, 25% space savings can easily run in the 500G range which is, by itself,
well over many ISP imposed limits before extra charges kick in.
> Intercepting proxies cache HTTPS only if the user has chosen to trust the proxy.
Which is why converting most traffic to HTTPS instead of HTTP hurts caching proxies the most and allow easier tracking by sites like google. From the time I connect to some sites, till I leave, google, et al, have encrypted connections
going. They can easily track sites and where I'm at on the site, w/o doing any special MITM interceptions using fed-provided CA's from US-based CA-authorities.
My interest has been in promoting faster browsing experience (something I've had success in, given feedback from those using the MITM proxies), as well as increasing privacy by blocking sites based on what sites they are being called or referenced from. You can't do that if the site you are connecting to is HTTPS based.
I see no benefit for HTTPS for "normal usage" -- only harm for the user and benefits for the sites -- especially large, data collection sites like google.