In my previous post i described what you need to do to make your website secure to help protect your user’s data, but “There is no free lunch”, there are costs associated with a secure website. The cost you incur for making your website secure can be (1) The cost of resources needed to support a secure website and (2) The impact on the performance of your website and hence the User Experience.
(2) User Experience :
Results of various experiments conducted on many websites show that SSL has significant impact on the performance ( a.k.a load time ) of a website. Tammy of WebPerformanceToday.com has a great post describing the impact of SSL on performance of a website. You can also read this post on Http Vs Https for more information.
Following are some of the major contributors to the slowness of a secure website
1. SSL negotiation during TCP connection is the major overhead.
The SSL handshake involves more steps to establish a connection than a regular TCP connection, this is worse in countries where the internet connections are slower.
2. Security products like Firewalls/Intrusion Detection Systems.
In-line security systems performance deeper inspection of packets and might result in extra latency. However It’s difficult to quantify the exact performance penalty caused by security products.
3. Desktop anti-virus software.
Similar to Firewalls or Intrusion Detection Systems desktop security software inspect every file being downloaded from a browser. Its hard to quantify the cost on performance or rendering time in the browser due to anti-virus software, However certain performance penalty is inevitable. The performance impact may vary based on the anti-virus software installed on the user’s computer and the composition of the page/resource being rendered in the browser.
There are ways to minimize the cost of SSL on performance / User Experience. some of the solutions are listed below.
- Dynamic html content: persistent CDN connections between edge servers and data center, such as Aakamai DSA
- Serve static content (images, js/css) from better regional CDN located in countries with slower internet connections, like Brazil, Australia, and India for faster https connections.
- Reduce number of domains used for static content as higher number of domains in the page results in more https connections / negotiation time. This will help reduce the number of connections initiated by the browser.
- Terminate SSL connection closer to the user. This can be achieved by the use of Point of Presence ( local mini data centers ) or Commercial solutions like Akamai DSA.
- Reduce the time it takes to fetch SSL certificates by switching to faster service ( CA GlobalSign ) or by employing techniques like OSCP Stapling
- Early Flush of a dummy object to establish SSL connection in parallel to the rendering of the page, to save time
- Use SPDY ( Chrome & FF are supporting )
- Implement image laze loading ( only download images when the user scrolls )
Cost to Serve :
The cost on the resources such as the CPU utilization in the devices ( a.k.a. Load Balancers, Traffic Servers or Front End Servers ) depends on your architecture and hence before a decision is made to migrate to SSL ( i.e. making a website secure ), experiments / analysis should be conducted to understand the cost of SSL on resources and ensure the architecture is scalable to serve the current and future traffic with SSL.