Hypertext Transfer Protocol Secure (HTTPS) could slow your site down, but the advantages of using HTTPS connections far outweigh the potential disadvantages of not using them. In fact, not using a secure connection is website suicide. After all, would you drive your vehicle without insurance? Moreover, there are a number of ways you can optimise your HTTPS web pages’ performance and have the best of both worlds: fast connections and website security.
Let’s first look at some definitions and acronyms.
- HTTPS (Hyper Text Transfer Protocol Secure) is the secure version of HTTP, the protocol over which data is exchanged between your browser and the website that you are connected to. It ensures that all communications between your browser and the website are encrypted.
- SSL (Secure Sockets Layer) is standard security technology for establishing an encrypted link between a server and a client—typically a website and a browser, or a mail server and a mail client.
- TLS (Transport Layer Security) is the heir to SSL, and the terms are generally used interchangeably although there are some differences (outside the scope of this article).
- TLS handshake refers to the processes of authentication and data stream encryption to secure the exchange of information. It’s called a handshake because it enables the client and server to establish the secret keys with which they communicate; kind of like passing a note, hidden in the palm of your hand, to someone. It’s this communication that is the primary cause of possible slow HTTPS page
- Round-trip – An exchange of data between client and server, e.g. when the client greets the server, and the server replies it is one round-trip. A full TLS handshake involves two round-trips.
- Cypher suite is a set of cyphers used in the privacy, authentication and integrity of data passed between a server and client in an SSL session. It can be viewed as a set of agreed and private rules the client and server use to encrypt and decrypt messages
- Content Delivery Network (CDN) – Provides alternative server nodes around the world for users to download resources. They’re designed to ensure faster responses by virtue of being geographically closer to users, ensuring a more rapid response and download time of content due to reduced latency.
HTTP versus HTTPS
When it comes to the speed at which web pages are served, the difference between HTTPS and HTTP, in a nutshell, is that there is extra processing, viz. an authentication process through which the client and the server introduce themselves and exchange assurances of legitimacy. HTTP makes a simple request and receives a simple response, but HTTPS requires an additional round of introductions and pleasantries before any data can be exchanged.
How could HTTPS slow my site down?
The controversy surrounds two primary processes: encryption and authentication. Encryption: Encrypted websites are more resource-hungry than unencrypted sites. While this is true, it’s not that important because computer hardware and browser technologies these days are extremely sophisticated and can easily handle the extra I/O needed to secure your website. In addition, cypher suites (the algorithms and keys) used to secure connections have been developed that actually sit in the CPU and help it to operate at maximum efficiency.
Authentication (establishing a secure connection): The TLS handshake is like a complicated meet and greet between people from different cultures; lots of nodding, bowing and exchanging gifts before getting down to business. However, it’s not as network intensive as you might think. The most resource-intensive part of an SSL connection is its initial creation; after that, the communication between client and server speeds up considerably. Two technologies - False Start and Session Resumption – improve performance by allowing communication to happen before the TLS handshake is completed, i.e. after a quick bow, guest and host can get down to business while simultaneously opening gifts and nodding at each other.
Why do you need an SSL certificate?You need an SSL certificate to make a secure connection in the first place. You can read more about SSL certificates here. But let’s review some of the reasons a security certificate is essential.
Cybercrime is a reality and not just something that happens to straying spouses on Ashley Madison-type websites or to the gullible who respond to Nigerian 419 scams. Identity theft is on the increase. McAfee and the Center for Strategic and International Studies (CSIS) estimated the likely annual cost to the global economy from cyber crime is $445 billion a year. While browsers these days do help you to identify potentially unsafe sites, many of these incidents happen because websites don’t use SSLs. Google recommends that all e-Commerce sites are SSL-certified, and if you’re dealing with credit cards on your site, it’s mandatory by law that you have one to ensure PCI-DSS compliance.
It’s not just online businesses that are at risk from internet fraudsters. If your website is a read-only one, you can get away with not having an SSL certificate but if not, you need to take precautions. At particular risk are websites that:
- Require and authenticate passwords and login names.
- Have a subscription service that requires users give you their email addresses or other sensitive information.
- Process financial information, like credit card numbers, bank accounts, social security numbers, etc.
- Contain confidential subject matter, for instance, medical, legal or political content.
HTTPS performance optimisation is a highly technical issue, but there are a few simple things that can be done to improve the performance of HTTPS.
- HTTP Strict Transport Security (HSTS) restricts browsers to accessing web servers only over HTTPS. This improves performance by eliminating unnecessary HTTP-to-HTTPS redirects. Always use HTTPS for all resources on a page. Including HTTP resources in a page download may slow browsers down because they need to request permission to download content that is not secure.
- Caching is the process whereby a browser stores copies of resources so it can access them at a later stage. You can manage HTTPS cache with Cache-Control. Session Resumption caches keys and connection information on both the client and the server so they can be retrieved faster later.
- False Start, as mentioned earlier, is an optional TLS protocol extension that allows the client and server to start transmitting encrypted application data when the handshake is only partially complete (one round-trip instead of two). This means that the time needed for the TLS handshake is reduced.
- Early termination decreases latency due to the TLS handshake. By serving your content from a Content Delivery Network (CDN), you can also reduce the latency cost of each call between the client and the server because one of the core functions of CDN is to reduce the physical distance between the user and the website.
- One performance advantage of using HTTPs is the ability to use Brotli Compression, which is an open source compression algorithm developed by Google as an alternative to Gzip, Zopfli, and Deflate. It is used to speed up web browsers.
ConclusionThe impact of using secure connections is negligible and worth any inconvenience. Two examples of internet companies who paved the way:
- Google: The impact on the giant search engine is calculated at 2% on network overhead and <1% of CPU load. Also, in 2014 Google announced that in their rankings algorithm they would be favouring websites that serve traffic over HTTPS.
- Facebook: In 2013 Facebook switched to HTTPS using a couple of smart techniques to reduce connection times: leveraging Edge networks and reducing handshakes.
How to speed up your website with or without an SSL certificate is the subject of a different article, but there are many ways to do this without forgoing an SSL certificate. Bear in mind that Amazon reported increased revenue of 1% for every 100 milliseconds improvement to their site speed.
Localnode recommends using a trusted SSL. We recently partnered with Comodo, a global internet security provider and registered Certificate Authority (CA), to sell and issue SSL certificates. Comodo is one of the originators of the CA forum and the second largest owner of root keys (core encryption keys) in the world. Read more about Comodo and SSL certificates at this blog post.