Andrew Widjaja

@andrewwidjaja

How migrating to HTTPS can slow down your site

Update: Added additional methods of speeding up a HTTPS connection.

Migrating your site to HTTPS ensures that the data transferred between your site’s server and visitors is encrypted and thus secure. It also allows visitors to verify the site’s identity and is also a positive ranking factor in Google’s search engine.

When you visit a HTTPS website there’s an additional handshake in order to establish the secure connection. The handshake involves 2 full round trips, so data needs to travel 4 times the distance between the location of the visitor and the location of the site’s server.

These 2 full round trips are fine if the visitor is located close to the site’s server, but this becomes an issue for visitors located far from the site’s server.

Even at the fastest possible speed in the universe with light travelling through a vacuum (299,792,458 m/s) it will take 212 ms (53 ms x 4) just to establish the secure connection between a server in Sydney, Australia and a visitor from New York. But this time doesn’t take into account the reduced speed of light travelling through fibre optic cable, routing, and the time it takes to verify the SSL certificate and compute the master secret key. Using webpagetest.org I found that it takes around 500 ms for a visitor in New York to establish a secure connection with a server in Sydney, Australia.

The additional half a second to establish a secure connection will result in a poor browsing experience for your users which may result in a drop in traffic and revenue. Amazon stated that every 100 ms in latency costs them 1% in sales. Google also noticed that a half a second delay resulted in a 20% drop in traffic. So this additional 500 ms delay can have a significant impact.

How do we reduce the time to establish a secure connection?

TLS False Start and TLS Session Resumption are TLS extensions that can help by reducing the round trip to one for new and returning visitors. But this still results in a significant latency of 250ms in our example. Your server will need to support ALPN and forward secrecy cipher suites to support TLS False Start in most browsers.

Is there a way of reducing this time further? The most logical way is to ensure your server is close to your visitors, as this will reduce the round trip time. The simplest way of doing this is by terminating the TLS connection close to your visitors using a CDN edge, but this would mean the data travelling between the CDN edge and the site’s server is unencrypted and thus not secure. Another way is to set up web servers closer to the location of your visitors, but if your site receives traffic across the globe, setting up a server in every continent may not be a feasible solution.

Is there anything being worked on that will help speed up HTTPS? TLS 1.3 is the latest version of the TLS protocol and is more secure and faster. TLS 1.3 introduces single round trip handshakes for new connections. It also allows visitors who have previously visited the site to send encrypted data on the first message, this is known as 0-RTT (zero round trip). As TLS 1.3 is relatively new it is only available in the development versions of browsers and isn’t enabled by default.

Migrating your website to HTTPS has major benefits, but you need to be aware of the additional latency it can bring, especially for visitors who are located far from your server.

More by Andrew Widjaja

Topics of interest

More Related Stories