I am incredibly rural in Pennsylvania and pay about $.50 per megabit.
I guess not all rurals are the same.
In my parts, being rural could mean not having a 2G/3G signal until you
have to climb a tree... not literally, but you get my point.
Mark.
Is that PennRen\Kinber?
$100M+ in federal dollars goes a long way.
Multiple providers. I don’t think I should publicly name them for various reasons. You are a smart man though and can probably figure it out from BGP peering tables.
I know who you have and it's easily found who you use.
I was implying exactly what "ML" said".
In a message written on Mon, May 28, 2018 at 09:23:09AM -0500, Mike Hammett wrote:
However, this could be wildly improved with caching ala squid or something similar. The problem is that encrypted content is difficult to impossible for your average Joe to cache. The rewards for implementing caching are greatly mitigated and people like this must suffer a worse Internet experience because of some ideological high horse in a far-off land.
Some things certainly do need to be encrypted, but encrypting everything means people with limited Internet access get worse performance OR mechanisms have to be out in place to break ALL encryption, this compromising security and privacy when it's really needed.
I'm going to take this question head on, as opposed to the many tangents
in this thread.
The Internet lived in the world you described, and a lot of people
learned a lot of things along the way. Perhaps the most important
lessons:
- Users cannot be trusted to check if there is a "secure" indicator
before sending sensitive information.
- Users cannot tell the difference between two "secure" sites, one of
which is a phishing site that just happens to have a certificate.
- There is no algorithmic way to determine if mixed mode content is
"safe".
- Web site operators seem incapable of maintaining white lists of
safe mixed mode content.
- Mixed mode content is not safe due to browser bugs.
- Once users have been trained that it's ok to send content via some
insecure channels, it's nearly impossible to untrain them of it
later.
Basically, while you presented the "pro" side of unencrypted content
(being able to cache), you didn't present any of the negative side.
I have to wonder if the villagers were given a choice of faster
internet, where 5% of them had their bank account cleaned out, and 5%
had their identity stolen, or slower, secure internet which they would
choose?
Want a technological solution? It exists! Signed content. I've always
been baffled why there isn't a way to serve up HTTP signed (but not
encrypted) content. I'd imagine the way it would work is:
1) Initial connection had to be HTTPS encrypted to create a full
encrypted channel.
2) Additional assets could then be downloaded as HTTPS, or as HTTP +
Signature. Signature must be from the same certificate as the
HTTPS data.
The http+signature data could then be cashed just fine, and stored in
the clear. The web site could determine what to serve up that way to
maintain security. All POST commands would have to be HTTPS (data from
client to server), and of course sensitive information would be returned
HTTPS only.
Why doesn't that exist?
Has anyone outside of tech media, Silicon Valley or academia (all places wildly out of touch with the real world) put much thought into the impacts of encryption everywhere?
See "Effects of Pervasive Encryption on Operators."
https://datatracker.ietf.org/doc/draft-mm-wg-effect-encrypt/?include_text=1
TLS1.3 uses ephemeral keys, so even if you own both endpoints and everything in the middle, you can't decrypt a flow without some yet-to-be-developed technology.
QUIC encrypts everything, and of course, HTTPS.
So often we hear about how we need the best modern encryption on all forms of communication because of whatever scary thing is trendy this week (Russia, NSA, Google, whatever). HTTPS your marketing information and generic education pieces because of the boogeyman!
However, I recently came across a thread where someone was exploring getting a one megabit connection into their village and sharing it among many. The crowd I referenced earlier also believes you can't Internet under 100 megabit/s per home.
Yeah. Too many people forget that most of the Internet is mobile, and mobile != LTE. People also assume packet loss < 0.1%, latency <100ms, and power reliability >99%.
However, this could be wildly improved with caching ala squid or something similar. The problem is that encrypted content is difficult to impossible for your average Joe to cache. The rewards for implementing caching are greatly mitigated and people like this must suffer a worse Internet experience because of some ideological high horse in a far-off land.
Some things certainly do need to be encrypted, but encrypting everything means people with limited Internet access get worse performance OR mechanisms have to be out in place to break ALL encryption, this compromising security and privacy when it's really needed.
To circle back to being somewhat on-topic, what mechanisms are available to maximize the amount of traffic someone in this situation could cache? The performance of third-world Internet depends on you.
A proxy is all I've thought of. But it means everything is dependent on the proxy, and it's even in-path for things that really should be encrypted, like email and messaging.
I can't imagine why the weather should be encrypted, when everyone in a location wants to know the forecast.
Lee
If you’re in $TinyVillage in $PoorAfricanCountry, do you even have a bank account or an online identity that could be stolen?
Just my $0.02 on this increasingly off-topic thread.
Bank accounts are so 2018...
https://en.wikipedia.org/wiki/M-Pesa
Where've you been, man :-)...
Mark.
northerners who have never traveled pontificating about africa might, or
might not, be interested in
https://afrinic.net/blog/333-revealing-latency-clusters-in-africa
randy
Based on my experience a couple of years ago while in West Africa:
If you look at the BGP adjacencies and bidirectional traceroutes for ISPs
in Sierra Leone or Liberia; Freetown and Monrovia are both are logically
suburbs of London. Just with much higher transport latencies via the
submarine fiber link and then transport from UK cable landing station to
the IX points in London.
The situation is a bit different in Accra, Ghana which is a much larger and
more economically developed market, and has IXes and ISPs that peer with
each other domestically.
West Africa has generally lagged a little behind compared to Eastern and
Southern Africa, with regard to closing connectivity gaps within the
local and regional space. The good news is that places such as Ghana and
Nigeria have made excellent strides in fixing this, as you point out.
The work being done by AfPIF (part of ISOC), AFRINIC and a bunch of
country- and region-level NOG's has gone a long a way in promoting local
and regional connectivity through traditional and other means, and we
have seen the fruits of that labour.
Mark.
The http+signature data could then be cashed just fine, and stored in
the clear. The web site could determine what to serve up that way to
maintain security. All POST commands would have to be HTTPS (data from
client to server), and of course sensitive information would be returned
HTTPS only.
Makes a lot of sense, but…
Wouldn’t you also have to require that all GET commands (or at lest GET
commands for strings containing a ? character) be sent via HTTPS?
In many cases, there’s little difference between the data disclosure
of a POST form vs. the disclosure achieved with GET URL?attribute=value&…
Indeed, there are multiple libraries out there which allow one to treat
the variables from POST data and the variables from GET “query strings”
as virtually identical. I suspect that in most cases, the only reason
said libraries distinguish is to maintain namespace separation in case of
collisions (since query strings can also be applied to POST requests).
Why doesn't that exist?
Because developers are lazy?
Owen
Ah, the wonderful USF.
Here’s my take on USF. It’s a perfectly wonderful intent whose implementation has gone horribly horribly wrong.
Instead of equalizing economic incentives for infrastructure between rural, urban, and suburban areas, it has heavily tilted the incentives in favor of the highest densities that still qualify as rural while pretty much screwing over everyone else.
Extremely high density urban areas still have sufficient economic opportunity over lower infrastructure cost per user to attract some development. However, Suburbia is the biggest loser in this equation.
Don’t get me wrong… I’m perfectly fine with the idea that I need to make a small payment to subsidize delivery of decent network infrastructure to underserved areas. What bothers me is that I’m generally paying this tax to enable farmers in the middle of nowhere to have better network infrastructure than I can get at my own location.
I’m happy to subsidize equality of connectivity, but it galls me to have to subsidize GPON for others while there’s not even a glimmer of hope that anyone will usefully lay fiber in my neighborhood in the foreseeable future.
Owen
*nods* The whole concept of SSL all of the things is severely misplaced... and the thread I caught exemplifies why.
But privacy! *sigh*
People may just have to know how to turn the proxy on and off. It's a requirement we wouldn't dare consider in the US, but if you're in the middle of nowhere and you can get megabit or higher speeds (instead of dialup) if you learn how to turn a proxy on and off... you'll learn quickly.
Sadly, it's just falling on deaf ears. Silicon Valley will continue to think they know better than everyone else and people outside of that bubble will continue to be disadvantaged.
What, again ?
Encryption is what is best for the most people.
The few that will not use it can disable it.
No issue then.
Well, yes, there is, you simply have to break the end to end encryption
Well, yes, there is, you simply have to break the end to end encryption
Yes, (or) deny service by Policy (remains to evaluate who's happy with that).
Cheers,
mh