• 11

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

HTTPS overhead compared to HTTP

HTTPS is the encrypted version of HTTP, and nowadays it is becoming a common practice to encrypt all the web traffic, not only sensitive one.

The drawback of HTTPS, apart from the need to buy expensive certificates and being dependent of a third party Certification Authority, is the increased CPU load (for the actual encryption) and bandwidth consumption (for addition protocol negotiation).

This overhead is not only a server side problem, but also a higher latency perceived by the client.

What is the actual overhead in terms of CPU load, bandwidth and latency?

What's the state of the art (on software, hardware and best practices) to reduce this overhead?

      • 1
    • Sidenote: you can get free class 1 certificates at Startcom. As for the encryption, there is hardware support for AES used for disk encryption. You could look into the possible of hardware support for OpenSSL HTTPS.
  • Price : There's heaps of CA's and resellers that provide well supported SSL certificates that are even affordable for your Mom's recipe website, let alone for business use. Besides a couple of free ones, as in beer, others are still cheaper then a pint. So no issue there.

  • Latency is increased by switching to HTTPS : the initial SSL handshake requires two extra roundtrips before the connection is established, compared to just the one roundtrip required to establish a TCP connection to the plain unencrypted HTTP port. So effectively it will take three times as long before the first data is received by your users.

From: High Performance Browser Networking by Ilya Grigorik

  • Bandwidth Increase : The used bandwidth will increase slightly as the header size will increase by a number of bytes for protocol reasons and the effective payload will decrease a due to the framing overhead, and some ciphers will use padding as well. Assume a common MTU of 1500 bytes packet size ; the HTTPS protocol overhead will still leave at least 1400 bytes effective payload data size, therefore in max 6-7% increase in bandwidth.

  • CPU Load : The most computational expensive part is the public key exchange, after which a relatively efficient symmetric cypher is used. Most quotes suggest that modern commodity hardware does not require SSL offload cards to deal with that overhead.

In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. Many people believe that SSL/TLS takes a lot of CPU time and we hope the preceding numbers (public for the first time) will help to dispel that.

If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more. -- Adam Langley (Google)

A good resource is chapter 4 from High Performance Browser Networking by Ilya Grigorik

In conclusion, the overhead except for the latency in establishing a new connection, is negligible.

What is best, it depends on your needs... Using a CDN might become more expensive when you also need SSL support for instance.

  • 12
Reply Report
    • @pacerier I said well supported i.e. accepted without warning messages by the vast majority of current browsers. Those are cheap. Cheap enough not to use self signed certificateso. EV certificates that give the green bar are a marketing tool and not significantly different from normal certificates from a technical perspective.
      • 2
    • @HBruijin, What would be some examples? certs are useless if they aren't accepted. From a Chrome's perspective, "a user go to a https page and see a green bar" compared to "a user go to a https page and see a Warning page with no obvious way to proceed" is a huge difference.

Trending Tags