Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

21
  • 6
    +1 for static content takes a hit. Consider a site with multiple <img> tags. Since each image will have a separate connection, the computational overhead of say a 2048-bit or 4096-bit encrypted connection can become fairly significant on mobile platforms where increasesd CPU usage quickly drains a battery, users might avoid your site because for one reason or another they think it drains their battery. This is of course one merit to hosting non-confidential static content on a separate server (without SSL). Commented Jun 6, 2011 at 1:17
  • 11
    @puddingfox: a browser will open only a few SSL connections to a given site (e.g. 3 or 4), using HTTP keep-alive to send several successive HTTP requests within each. Moreover, only the very first one needs asymmetric key exchange (the one where a 2048-bits-or-so key is involved); the other connections will use the SSL/TLS "resume session" feature (faster handshake, less messages, symmetric crypto only). Finally, most SSL/TLS server use a RSA key and the client part of RSA is cheap (the server incurs most of the cost in RSA). Commented Jun 6, 2011 at 10:58
  • 3
    Good answer. However, there is a reason why someone sufficiently paranoid might want to view youtube videos over https: viewing them over https would mean that an eavesdropper would not easily be able to compile a record of which videos you watch. Commented Apr 13, 2014 at 6:20
  • 3
    Regarding the assertion that you do not really care about whether the video really comes from youtube.com, this is wrong. If I'm watching a video of Bruce Schneier talking about cryptography and I might make decisions based on his opinion, then I want to know that the message has not been altered in transit. Commented Nov 4, 2014 at 13:59
  • 3
    What about accuracy? You go to Youtube for vids but it gives you contents from Facebook instead. You go to Facebook and it shows you Google instead. You go to Google and it shows you something that is not-safe-for-life. Or stuff that could put you in jail. Like... a virus download or zero-day exploit which uses your computer to share pirated stuff, or broadcast anti-state speeches (a grave or capital offense in more than several countries), or export crypto, or release state secrets, or anything for that matter. Everyone needs HTTPS, they just don't know that yet. Commented Jan 26, 2016 at 22:23