It wouldn't delay the page load time, so it doesn't seem like it would be slow or very noticeable. As a user, at most you'd notice ads popping up a few seconds after the page loaded. But users without adblock are used to such things. And as long as the adware reserves a blank space on the page to display ads, the ads won't mess with the layout of the page when they load.
EDIT: Why has this been downvoted twice? It's absolutely correct.
It's a strange day when you post something unambiguously true to HN and it gets summarily downvoted.
The only part that isn't unambiguously true is that "most users without adblock are used to such behavior already." But I stand by that phrase, because "most users" are people who understand almost nothing about about computers.
Remember, downvotes are reserved for trolls and people you disagree with, not something which you think is "maybe untrue but I don't know whether it's true." I've complained in the past about having to write epic edits because people don't follow this so I have to explain myself further.
Maybe you want more explanation about how precisely the above MITM would work? Here's how: The page loads. This completes normally, and the user doesn't see anything differently. In the meantime, Superfish reads the network traffic that has loaded. It also has injected some javascript in order to reserve a spot on the page to display ads. This would be a big blank space where the ads go after they load.
Now the network traffic is sent off to China or wherever. It's analyzed on a server, then the server sends back commands to Superfish about what to do, like "Display ad 91234128 at X,Y spot on the webpage."
The total roundtrip time would be no more than a few seconds. China isn't the moon. Half the speed of light is fast.
Thank you for the lecture on downvotes. You are 100% wrong because we are discussing the presence of the private key. Your scenario imagines an intelligent proxy that interacts with China intelligently. In that scenario the private key remains on the end user machine to enable low latency as you describe. The upthread poster presented the scenario wherein the key is not distributed on end user machines for security reasons, but that then means the key must live on the theoretical server in China (otherwise how else would you encrypt a connection against your certificate), which would require passing the entire TLS connection through that server to perform the MITM.
This subthread is about private key distribution. It's really poor form for you to react to being downvoted (as legitimately wrong) by lengthening your comment by a factor of 5 and lecturing people about downvotes.
No, you don't need to pass the TLS connection to China to perform an MITM. Superfish would generate a cert at installation time, unique to the specific user that was being targeted. The channel back to China would be protected by TLS too, but it wouldn't be MITM'able by anyone except Superfish HQ, unless they lose their private key.
I disagree that it's poor form to react to downvotes when they're wholly unjustified. Maybe I did a bad job explaining myself. In that case, I should explain myself better. That's a positive thing, not a negative. Reddit has this stupid trope like "Complaining about downvotes? That's a paddlin'." Which if you think about it just a self-reinforcing culture of bandwagoning. But I imagine that this is now entirely offtopic and boring, so let's focus on the tech.
Again, irrelevant. This thread isn't "sillysaurus3 imagines how he would implement the perfect proxy," it's correcting an assumption about the actual existing proxy. I suggest if you want to pursue your off topic study of how to implement a proxy that doesn't introduce latency while performing the functionality, you do it elsewhere.
You should also read the HN guidelines before explaining downvote etiquette to me, because they will surprise you, apparently.
Why should I do it elsewhere? This is a thread about an interesting tech topic, and maybe some people might find that aspect interesting. This is the last comment I'm going to write to you because this is now wholly uninteresting to readers. I'll never understand this mindset of "Oh, well, there might be a misunderstanding here, but rather than clarify it calmly and rationally, I'll take this as a license to be angry and mean."
Who cares if someone thought that the proxy was going to work like X, but it turned out to work like Y? What matters is that if it can work like Z, then Z should be pointed out, especially if it enables some interesting aspect that people previously hadn't noticed. Anyway, you've successfully killed the fun of HN for me for the day, so see you later.
It says a lot about you that you think a calm explanation of your downvotes, as you are plainly in hysterics over them, is me being angry and mean. I meant elsewhere in the thread. You corrected someone who was correcting someone else, and you were wrong about the spirit of your correction. I was calmly suggesting that if you want to think through such a hypothetical you shouldn't do it as a misplaced correction.
You really need to unplug for a bit. I'm dead serious.
Your post is off topic and misses the point entirely which is why you are being down voted. Routing all http traffic to China and back would certainly introduce noticeable delay in page load times.
That wouldn't avoid storing the key on the local machine, since the MITM server still needs to be on the local proxy.
I have no idea why you're chasing this thing. The gist of nailer's original post was asking why the private key was accessible. Whether the local proxy talked to a box in China or not seems completely irrelevant.
