Thoughts on Business and Technology

Cost and Benefits of a Secure Web Site

In my previous post i described what you need to do to make your website secure to help protect your user’s data, but  “There is no free lunch”, there are costs associated with a secure website. The cost you incur for making your website secure can be (1) The cost of resources needed to support a secure website and  (2) The impact on the performance of your website and hence the User Experience.

(2) User Experience : 

Results of various experiments conducted on many websites show that SSL has significant impact on the performance ( a.k.a load time ) of a website. Tammy of has a great post describing the impact of SSL on performance of a website. You can also read this post on Http Vs Https for more information.

Following are some of the major contributors to the slowness of a secure website

1. SSL negotiation during TCP connection is the major overhead.

The SSL handshake involves more steps to establish a connection than a regular TCP connection, this is worse in countries where the internet connections are slower.

2. Security products like Firewalls/Intrusion Detection Systems.

In-line security systems performance deeper inspection of packets and might result in extra latency. However It’s difficult to quantify the exact performance penalty caused by security products.

3. Desktop anti-virus software. 

Similar to Firewalls or Intrusion Detection Systems desktop security software inspect every file being downloaded from a browser. Its hard to quantify the cost on performance or rendering time in the browser due to anti-virus software, However  certain performance penalty is inevitable. The performance impact may vary based on the anti-virus software installed on the user’s computer and the composition of the page/resource being rendered in the browser.

There are ways to minimize the cost of SSL on performance / User Experience. some of the solutions are listed below.

  • Dynamic html content: persistent CDN connections between edge servers and  data center, such as Aakamai DSA
  • Serve static content (images, js/css) from better regional CDN located in countries with slower internet connections, like Brazil, Australia, and India for faster https connections.
  • Reduce number of domains used for static content  as higher number of domains in the page results in more https connections / negotiation time. This will help reduce the number of connections initiated by the browser.
  • Terminate SSL connection closer to the user. This can be achieved by the use of Point of Presence ( local mini data centers ) or Commercial solutions like Akamai DSA.
  • Reduce the time it takes to fetch SSL certificates by switching to faster service ( CA GlobalSign ) or by employing techniques like  OSCP Stapling
  • Early Flush of a dummy object to establish SSL connection in parallel to the rendering of the page, to save time
  • Use SPDY ( Chrome & FF are supporting )
  • Implement image laze loading ( only download images when the user scrolls )

Cost to Serve : 

The cost on the resources such as the CPU utilization in the devices ( a.k.a. Load Balancers, Traffic Servers or Front End Servers ) depends on your architecture and hence before a decision is made to migrate to SSL ( i.e. making a website secure ), experiments / analysis should be conducted to understand the cost of SSL on resources and ensure the architecture is scalable to serve the current and future traffic with SSL.

Tagged with:

About author

Related Articles

Leave a reply

Your email address will not be published. Required fields are marked *