Alpine with Session Encryption
Alpine with Session Encryption
One obstacle is session encryption (also known as Secure Socket Layer or SSL). When session encryption is enabled, all communication between the browser and the Alpine server is scrambled such that an eavesdropper would find it extremely difficult to observe the contents. When disabled, all communication, except for your username and password, between the browser and Alpine server takes place in clear text and is easily observable.
While encryption and decryption require some extra computing resources, the heaviest performance cost has to do with default browser behavior. Usually browsers retain a copy of pages and their various elements, such as images, for a time with the intent of avoiding costly network communication next time that page or a page containing the same elements is requested. However, to be extra careful of potentially exposing sensitive information, many browsers default behavior is not to retain copies of elements retrieved over encrypted connections. Thus, Alpine's performance cost has to do with the browser re-requesting common elements on the various Alpine pages.
Typically, from a computer connected directly to the campus network (or other high-speed network such as DSL or cable-modem) this performance cost is not noticeable. However, a user on a slower, modem-connected computer can be severely effected.
There are two ways to work around this situation. One is to alter the browser's configuration to retain elements on pages served securely. The downside is that this setting often will then apply to all secure pages, not just Alpine. The other work around is to disable session encryption for Alpine. The downside is that communication between the Alpine server and your computer, except for passwords, is visible.
The likelihood that the communication will be observed depends on the path the communication takes over the network. For example, while using a computer in a campus lab or laptop connected to a wireless hub, it is not unthinkable that someone on the local network may be watching traffic. In such situations the communication speed is high enough to offset the performance cost, so session encryption is a pretty good idea. Similarly, communication between the Alpine server and a computer connected to a campus modem, is not likely to travel over a publicly accessible network, so malicious eavesdropping is much less likely. Given the slower communication speed and reduced risk of observation, disabling session encryption while connected via modem is reasonable.
Alpine knows about the campus modem pools, and will adjust the "Session Encryption" default setting based on whether or not the browser you are using appears to be running on a computer connected to a campus modem pool. Modem pool connections will default to not using session encryption. All other connections will default to using session encryption. That is, a computer on the campus network or connected to a network or dial-in service outside the UW will have its Alpine session encrypted unless you uncheck the box labelled "SSL Session Encryption." If you are on a slow connection and confident that your connection is not likely to travel any hostile path, or otherwise decide the performance benefit outweighs the risk of observation, then unchecking the box may be a reasonable option for you.
Please note: Session encryption only ensures that communication between your browser and the Alpine server is secure. It does not mean email messages you send from Alpine are in any way safe from observation or otherwise confidential.