<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
    <title>Vasilios Syrakis - security</title>
    <subtitle>A simple blog made with Zola and Duckquill</subtitle>
    <link rel="self" type="application/atom+xml" href="https://cetanu.github.io/tags/security/atom.xml"/>
    <link rel="alternate" type="text/html" href="https://cetanu.github.io"/>
    <generator uri="https://www.getzola.org/">Zola</generator>
    <updated>2026-07-10T00:00:00+00:00</updated>
    <id>https://cetanu.github.io/tags/security/atom.xml</id>
    <entry xml:lang="en">
        <title>Do We Really Need TLS for Cat Pictures?</title>
        <published>2026-07-10T00:00:00+00:00</published>
        <updated>2026-07-10T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              Vasilios Syrakis
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://cetanu.github.io/blog/do-we-really-need-tls-for-cat-pictures/"/>
        <id>https://cetanu.github.io/blog/do-we-really-need-tls-for-cat-pictures/</id>
        
        <content type="html" xml:base="https://cetanu.github.io/blog/do-we-really-need-tls-for-cat-pictures/">&lt;p&gt;It is a common piece of skepticism: &lt;em&gt;&quot;Is encrypting every single corner of the
web actually necessary? If I’m just reading a static blog post or looking at a
cute picture of a cat, there are no passwords or credit cards involved. Why do
we need to wrap all of that in TLS? Aren’t we just wasting a massive amount of
CPU cycles globally?&quot;&lt;&#x2F;em&gt;&lt;&#x2F;p&gt;
&lt;p&gt;On the surface, it seems like a reasonable complaint. Wrapping every HTTP
response in a layer of cryptography must have a cost.&lt;&#x2F;p&gt;
&lt;p&gt;But when you dig into the mechanics of modern networks and the history of how
ISPs behave when we leave our traffic in plaintext, the answer becomes obvious.
Ubiquitous TLS isn’t paranoia or wasteful bloat—it is the bare minimum required
to keep the web functional.&lt;&#x2F;p&gt;
&lt;p&gt;Let’s break down the actual compute cost of TLS and look at what happens to
your data when you don’t encrypt it.&lt;&#x2F;p&gt;
&lt;hr &#x2F;&gt;
&lt;h2 id=&quot;the-compute-myth-is-tls-actually-wasting-cpu&quot;&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#the-compute-myth-is-tls-actually-wasting-cpu&quot; aria-label=&quot;Anchor link for: the-compute-myth-is-tls-actually-wasting-cpu&quot;&gt;&lt;i class=&quot;icon&quot;&gt;&lt;&#x2F;i&gt;&lt;&#x2F;a&gt;
The Compute Myth: Is TLS Actually Wasting CPU?&lt;&#x2F;h2&gt;
&lt;p&gt;Historically, yes, SSL&#x2F;TLS was computationally expensive. In the 1990s and
early 2000s, setting up a secure connection and encrypting a stream of data was
a heavy burden for servers. Websites that wanted encryption often had to buy
dedicated, expensive SSL accelerator expansion cards to offload the
cryptographic math from the main CPU.&lt;&#x2F;p&gt;
&lt;p&gt;Today, that bottleneck is long gone.&lt;&#x2F;p&gt;
&lt;h3 id=&quot;1-hardware-accelerated-cryptography-aes-ni-modern-cpus-both-client-side&quot;&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-hardware-accelerated-cryptography-aes-ni-modern-cpus-both-client-side&quot; aria-label=&quot;Anchor link for: 1-hardware-accelerated-cryptography-aes-ni-modern-cpus-both-client-side&quot;&gt;&lt;i class=&quot;icon&quot;&gt;&lt;&#x2F;i&gt;&lt;&#x2F;a&gt;
1. Hardware-Accelerated Cryptography (AES-NI) Modern CPUs (both client-side&lt;&#x2F;h3&gt;
&lt;p&gt;and server-side) have dedicated hardware instructions built directly into the
silicon to handle symmetric encryption. The most famous of these is Intel and
AMD’s &lt;strong&gt;AES-NI&lt;&#x2F;strong&gt; (Advanced Encryption Standard New Instructions).&lt;&#x2F;p&gt;
&lt;p&gt;With AES-NI, the CPU doesn’t need to run a software loop to encrypt data
block-by-block. Instead, it offloads it to hardware execution units that run
the operations in a handful of clock cycles.&lt;&#x2F;p&gt;
&lt;p&gt;Because of this, modern processors can encrypt and decrypt AES-GCM (the primary
cipher suite used in TLS 1.3) at near-memory speeds. A single modern CPU core
can easily encrypt multiple gigabits of data per second. On a typical web
server, the CPU overhead of encrypting the payload is a fraction of a percent.&lt;&#x2F;p&gt;
&lt;h3 id=&quot;2-tls-1-3-handshake-optimizations-the-most-computationally-intensive-part&quot;&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#2-tls-1-3-handshake-optimizations-the-most-computationally-intensive-part&quot; aria-label=&quot;Anchor link for: 2-tls-1-3-handshake-optimizations-the-most-computationally-intensive-part&quot;&gt;&lt;i class=&quot;icon&quot;&gt;&lt;&#x2F;i&gt;&lt;&#x2F;a&gt;
2. TLS 1.3 Handshake Optimizations The most computationally intensive part&lt;&#x2F;h3&gt;
&lt;p&gt;of TLS isn’t actually encrypting the data stream (symmetric cryptography)—it is
the initial handshake where the client and server negotiate keys (asymmetric
cryptography).&lt;&#x2F;p&gt;
&lt;p&gt;TLS 1.3, finalized in 2018, radically streamlined this process:&lt;&#x2F;p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;One Round-Trip (1-RTT):&lt;&#x2F;strong&gt; The handshake was cut from two round-trips to
one, reducing latency.&lt;&#x2F;li&gt;
&lt;li&gt;&lt;strong&gt;Pre-Shared Key (PSK) Session Resumption:&lt;&#x2F;strong&gt; Returning visitors can resume a
session in zero round-trips (0-RTT), skipping the expensive asymmetric key
generation entirely.&lt;&#x2F;li&gt;
&lt;li&gt;&lt;strong&gt;Faster Algorithms:&lt;&#x2F;strong&gt; Modern deployments favor elliptic curve algorithms
like &lt;code&gt;X25519&lt;&#x2F;code&gt; for key exchange and &lt;code&gt;ECDSA&lt;&#x2F;code&gt; or &lt;code&gt;Ed25519&lt;&#x2F;code&gt; for signatures. These
are orders of magnitude faster and lighter than the classic, bulky RSA keys
of the past.&lt;&#x2F;li&gt;
&lt;&#x2F;ul&gt;
&lt;p&gt;If you profile a modern web application, the resources spent on TLS are a drop
in the bucket. Parsing a JSON payload, running a database query, rendering a
React component, or executing a snippet of JavaScript takes orders of magnitude
more CPU cycles than encrypting a packet.&lt;&#x2F;p&gt;
&lt;hr &#x2F;&gt;
&lt;h2 id=&quot;if-the-compute-cost-is-low-why-encrypt-cat-pictures&quot;&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#if-the-compute-cost-is-low-why-encrypt-cat-pictures&quot; aria-label=&quot;Anchor link for: if-the-compute-cost-is-low-why-encrypt-cat-pictures&quot;&gt;&lt;i class=&quot;icon&quot;&gt;&lt;&#x2F;i&gt;&lt;&#x2F;a&gt;
If the Compute Cost is Low, Why Encrypt Cat Pictures?&lt;&#x2F;h2&gt;
&lt;p&gt;If the computational cost is negligible, we still have to ask: what is the
point of encrypting non-sensitive content? If someone intercepts your request
to see a cat picture, they just see a cat picture. Who cares?&lt;&#x2F;p&gt;
&lt;p&gt;The issue isn’t just &lt;strong&gt;confidentiality&lt;&#x2F;strong&gt; (keeping secrets secret). The real
threat is &lt;strong&gt;integrity&lt;&#x2F;strong&gt; (making sure the data isn’t tampered with).&lt;&#x2F;p&gt;
&lt;p&gt;Without TLS, your connection is just plain HTTP. That means every router,
switch, and intermediate network node between your browser and the web server
can read your traffic—and more importantly, they can &lt;strong&gt;modify&lt;&#x2F;strong&gt; it.&lt;&#x2F;p&gt;
&lt;p&gt;This isn’t a theoretical threat. Throughout the 2010s, Internet Service
Providers (ISPs), public Wi-Fi operators, and network gateways repeatedly
behaved like active man-in-the-middle attackers to monetize and track plaintext
web traffic.&lt;&#x2F;p&gt;
&lt;p&gt;Here are a few of the most egregious examples of what ISPs did when they were
allowed to read plaintext streams.&lt;&#x2F;p&gt;
&lt;hr &#x2F;&gt;
&lt;h2 id=&quot;when-isps-act-like-malicious-actors&quot;&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#when-isps-act-like-malicious-actors&quot; aria-label=&quot;Anchor link for: when-isps-act-like-malicious-actors&quot;&gt;&lt;i class=&quot;icon&quot;&gt;&lt;&#x2F;i&gt;&lt;&#x2F;a&gt;
When ISPs Act Like Malicious Actors&lt;&#x2F;h2&gt;
&lt;h3 id=&quot;1-verizon-s-supercookie-uidh&quot;&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-verizon-s-supercookie-uidh&quot; aria-label=&quot;Anchor link for: 1-verizon-s-supercookie-uidh&quot;&gt;&lt;i class=&quot;icon&quot;&gt;&lt;&#x2F;i&gt;&lt;&#x2F;a&gt;
1. Verizon’s “Supercookie” (UIDH)&lt;&#x2F;h3&gt;
&lt;p&gt;From 2012 to 2016, Verizon Wireless silently injected a unique tracking header
called the &lt;strong&gt;UIDH&lt;&#x2F;strong&gt; (Unique Identifier Header) into every unencrypted HTTP
request sent by its mobile users.&lt;&#x2F;p&gt;
&lt;pre class=&quot;giallo&quot; style=&quot;color: #A9B1D6; background-color: #1A1B26;&quot;&gt;&lt;code data-lang=&quot;http&quot;&gt;&lt;span class=&quot;giallo-l&quot;&gt;&lt;span style=&quot;color: #BB9AF7;&quot;&gt;GET&lt;&#x2F;span&gt;&lt;span&gt; &#x2F;cat-pictures&lt;&#x2F;span&gt;&lt;span style=&quot;color: #89DDFF;&quot;&gt; HTTP&lt;&#x2F;span&gt;&lt;span&gt;&#x2F;&lt;&#x2F;span&gt;&lt;span style=&quot;color: #FF9E64;&quot;&gt;1.1&lt;&#x2F;span&gt;&lt;&#x2F;span&gt;
&lt;span class=&quot;giallo-l&quot;&gt;&lt;span style=&quot;color: #F7768E;&quot;&gt;Host&lt;&#x2F;span&gt;&lt;span style=&quot;color: #89DDFF;&quot;&gt;:&lt;&#x2F;span&gt;&lt;span style=&quot;color: #9ECE6A;&quot;&gt; example.com&lt;&#x2F;span&gt;&lt;&#x2F;span&gt;
&lt;span class=&quot;giallo-l&quot;&gt;&lt;span style=&quot;color: #F7768E;&quot;&gt;X-UIDH&lt;&#x2F;span&gt;&lt;span style=&quot;color: #89DDFF;&quot;&gt;:&lt;&#x2F;span&gt;&lt;span style=&quot;color: #9ECE6A;&quot;&gt; 9f8a3c2e1b0d7f...  &amp;lt;-- Injected by Verizon&amp;#39;s network&lt;&#x2F;span&gt;&lt;&#x2F;span&gt;&lt;&#x2F;code&gt;&lt;&#x2F;pre&gt;
&lt;p&gt;Because HTTP traffic was plaintext, Verizon’s network equipment could intercept
the packets in transit, append this custom header, and forward it to the
destination server.&lt;&#x2F;p&gt;
&lt;p&gt;This header acted as an undeletable tracking cookie. Even if users cleared
their browser cookies, blocked trackers, or used incognito mode, third-party
advertising networks (like Turn) could read this injected &lt;code&gt;X-UIDH&lt;&#x2F;code&gt; header and
use it to reconstruct the user’s tracking profile across the web.&lt;&#x2F;p&gt;
&lt;p&gt;Because it was done at the network level, users had no way to disable it. It
was only stopped after a security researcher exposed the practice, leading to
public outcry and a &lt;strong&gt;$1.35 million fine&lt;&#x2F;strong&gt; from the FCC in 2016. If the sites
had been using HTTPS, Verizon would not have been able to inject the header
without breaking the cryptographic signature of the packet.&lt;&#x2F;p&gt;
&lt;h3 id=&quot;2-comcast-s-javascript-injection-in-2017-comcast-users-began-noticing&quot;&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#2-comcast-s-javascript-injection-in-2017-comcast-users-began-noticing&quot; aria-label=&quot;Anchor link for: 2-comcast-s-javascript-injection-in-2017-comcast-users-began-noticing&quot;&gt;&lt;i class=&quot;icon&quot;&gt;&lt;&#x2F;i&gt;&lt;&#x2F;a&gt;
2. Comcast’s JavaScript Injection In 2017, Comcast users began noticing&lt;&#x2F;h3&gt;
&lt;p&gt;strange popups appearing on top of the websites they were browsing.&lt;&#x2F;p&gt;
&lt;p&gt;Comcast was using deep packet inspection (DPI) to monitor customer traffic.
When they detected a user was browsing an unencrypted HTTP site, they would
modify the HTML on the fly, injecting custom JavaScript code into the webpage
before it reached the user’s browser.&lt;&#x2F;p&gt;
&lt;p&gt;The injected code was used to display “courtesy notices” telling users they
were approaching their monthly data cap, or warning them that their modem was
out of date.&lt;&#x2F;p&gt;
&lt;p&gt;While Comcast claimed this was a feature to help consumers, injecting arbitrary
JavaScript into third-party websites is incredibly dangerous. It can break the
site’s layout, cause conflicts with the site’s own scripts, and introduce major
security vulnerabilities. If a hacker managed to compromise Comcast’s injection
system, they could have executed arbitrary code on millions of customer
browsers.&lt;&#x2F;p&gt;
&lt;h3 id=&quot;3-hotel-and-airport-wi-fi-ad-injection-if-you-ve-ever-connected-to-a-hotel&quot;&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#3-hotel-and-airport-wi-fi-ad-injection-if-you-ve-ever-connected-to-a-hotel&quot; aria-label=&quot;Anchor link for: 3-hotel-and-airport-wi-fi-ad-injection-if-you-ve-ever-connected-to-a-hotel&quot;&gt;&lt;i class=&quot;icon&quot;&gt;&lt;&#x2F;i&gt;&lt;&#x2F;a&gt;
3. Hotel and Airport Wi-Fi Ad Injection If you’ve ever connected to a hotel&lt;&#x2F;h3&gt;
&lt;p&gt;or airport Wi-Fi network and seen a strange floating toolbar at the bottom of
every page, or unexpected ads on sites that don’t usually host them, you’ve
experienced ad injection.&lt;&#x2F;p&gt;
&lt;p&gt;Public Wi-Fi gateways frequently intercept HTTP traffic to inject local
advertisements, promotions, or terms-of-service agreements. By rewriting the
HTML of the websites you visit, they degrade your browsing experience and can
expose your browser to malicious ads (malvertising).&lt;&#x2F;p&gt;
&lt;h3 id=&quot;4-dns-hijacking-and-search-redirection-many-isps-including-charter-cox&quot;&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#4-dns-hijacking-and-search-redirection-many-isps-including-charter-cox&quot; aria-label=&quot;Anchor link for: 4-dns-hijacking-and-search-redirection-many-isps-including-charter-cox&quot;&gt;&lt;i class=&quot;icon&quot;&gt;&lt;&#x2F;i&gt;&lt;&#x2F;a&gt;
4. DNS Hijacking and Search Redirection Many ISPs (including Charter, Cox,&lt;&#x2F;h3&gt;
&lt;p&gt;and Rogers) historically practiced DNS hijacking on unencrypted traffic. If you
typed in a non-existent URL (like &lt;code&gt;http:&#x2F;&#x2F;this-does-not-exist.com&lt;&#x2F;code&gt;), instead of
showing a browser error page, the ISP would intercept the request and redirect
you to a custom search page loaded with ads and sponsored links, monetizing
your typos.&lt;&#x2F;p&gt;
&lt;hr &#x2F;&gt;
&lt;h2 id=&quot;the-three-pillars-of-tls&quot;&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#the-three-pillars-of-tls&quot; aria-label=&quot;Anchor link for: the-three-pillars-of-tls&quot;&gt;&lt;i class=&quot;icon&quot;&gt;&lt;&#x2F;i&gt;&lt;&#x2F;a&gt;
The Three Pillars of TLS&lt;&#x2F;h2&gt;
&lt;p&gt;When we encrypt the web, we aren’t just hiding passwords. We are establishing
three fundamental guarantees:&lt;&#x2F;p&gt;
&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;th style=&quot;text-align: left&quot;&gt;Guarantee&lt;&#x2F;th&gt;&lt;th style=&quot;text-align: left&quot;&gt;What It Means&lt;&#x2F;th&gt;&lt;th style=&quot;text-align: left&quot;&gt;What Happens Without It&lt;&#x2F;th&gt;&lt;&#x2F;tr&gt;&lt;&#x2F;thead&gt;&lt;tbody&gt;
&lt;tr&gt;&lt;td style=&quot;text-align: left&quot;&gt;&lt;strong&gt;Confidentiality&lt;&#x2F;strong&gt;&lt;&#x2F;td&gt;&lt;td style=&quot;text-align: left&quot;&gt;Only you and the server can read the data.&lt;&#x2F;td&gt;&lt;td style=&quot;text-align: left&quot;&gt;ISPs, governments, or hackers on your local Wi-Fi can see exactly which pages, articles, and pictures you are viewing.&lt;&#x2F;td&gt;&lt;&#x2F;tr&gt;
&lt;tr&gt;&lt;td style=&quot;text-align: left&quot;&gt;&lt;strong&gt;Integrity&lt;&#x2F;strong&gt;&lt;&#x2F;td&gt;&lt;td style=&quot;text-align: left&quot;&gt;The data cannot be modified in transit.&lt;&#x2F;td&gt;&lt;td style=&quot;text-align: left&quot;&gt;Network middleboxes can inject ads, tracking headers, popups, or malicious scripts into the page.&lt;&#x2F;td&gt;&lt;&#x2F;tr&gt;
&lt;tr&gt;&lt;td style=&quot;text-align: left&quot;&gt;&lt;strong&gt;Authenticity&lt;&#x2F;strong&gt;&lt;&#x2F;td&gt;&lt;td style=&quot;text-align: left&quot;&gt;You are communicating with the real website.&lt;&#x2F;td&gt;&lt;td style=&quot;text-align: left&quot;&gt;An attacker can spoof the website’s identity (e.g., DNS poisoning) and serve you a fake page without your browser raising any warnings.&lt;&#x2F;td&gt;&lt;&#x2F;tr&gt;
&lt;&#x2F;tbody&gt;&lt;&#x2F;table&gt;
&lt;p&gt;Even if you are only looking at cat pictures, you deserve to know that the cat
pictures you are seeing are the actual ones sent by the server, and not a
modified payload injected with tracking scripts and banner ads.&lt;&#x2F;p&gt;
&lt;h2 id=&quot;conclusion&quot;&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#conclusion&quot; aria-label=&quot;Anchor link for: conclusion&quot;&gt;&lt;i class=&quot;icon&quot;&gt;&lt;&#x2F;i&gt;&lt;&#x2F;a&gt;
Conclusion&lt;&#x2F;h2&gt;
&lt;p&gt;The push for a 100% encrypted web—championed by projects like &lt;em&gt;Let’s Encrypt&lt;&#x2F;em&gt;,
search engines prioritizing HTTPS, and browsers displaying warnings for
insecure sites—was a necessary response to the reality of the internet’s
infrastructure.&lt;&#x2F;p&gt;
&lt;p&gt;The internet is not a direct wire between your computer and a server; it is a
chain of intermediaries. And history has proven that if those intermediaries
are given the power to read and modify your traffic, they will exploit it for
profit.&lt;&#x2F;p&gt;
&lt;p&gt;Thanks to modern hardware acceleration like AES-NI and the design of TLS 1.3,
we can secure the entire web with virtually zero performance penalty. Encrypted
cat pictures aren’t a waste of compute—they are a victory for user privacy and
web integrity.&lt;&#x2F;p&gt;
</content>
        
    </entry>
</feed>
