I also agree with your thoughts on the speed issues. A decade back, you could really tell the difference in load times between visiting a secure page and one that wasn’t. Current hardware plus broadband has really washed that out.

I’d have to think more about the PGP solution. Are you suggesting only doing public key encryption, or using public key to encrypt a private key? The former is pretty slow and does tend to bloat messages, and the second seems to just be a different kind of key exchange. Maybe I’m just missing something?

Slowness wise, it shouldn’t make any sort of difference unless you have a very very slow (processor wise) machine. On the server side, you can just pregen and/or cache the encrypted pages, so no problem there.

SSL is overkill. A public key / private key encryption scheme (like PGP) would be fine. No need for per-session key exchange and such which really does add latency. And PGPish encryption would have the significant benefit of ensuring the page is actually written by who it says it is (assuming the normal constraints that public key is from a trusted server and the private key is private of course).

Anyway, I have thought about this quite a bit since the early days of the web, and never found a real reason “why not”… especially now that the decryption is basically nothing compared with the power of the average computer (in the olden days, it would have actually slowed things down).

All that said, it does appear that Tor does provide a reasonable option for people that both care about the issues and are comfortable with a technical solution that will obviously take at least some care and feeding.

It’s clearly not a fix for the problem as a whole, but it is something end users can do to protect themselves from their ISPs.

We can presumably work around this by having everyone set up a Tor server, but that’s clearly not going to be an option for most users for a whole variety of reasons.

Barry: You’re right about the times, especially the whole negotiation phase at the beginning. And I hadn’t even thought about the issues of encrypting images, and pages with content from multiple sites. Ugh. It definitely would be better if we can simply thwack the stupid ISPs into behaving than end up with great oceans of SSL just because of a few bad apples. I’d be a little anxious for people who don’t have (or don’t realize that they have) ISP options. The set of those without options is probably shrinking daily, but the set of people who aren’t aware of their options is probably large, and the kind of people who’d use this sort of software are probably above a little FUD to keep the less confident/knowledgeable users in line.

CoryQ: Agreed. It really scks that the whole intarweb has been a brilliantly frustrating series of case studies in the tragedy of the commons.

So it’s a good idea, but I’d hate to have to use it. Better to shun the ISPs that do things like this. And there’ll definitely be a market for ones that don’t, because those that do will be hurting their own customers with it.