HTTPS has been around for a while, but is it the right time to make the switch from HTTP? Considering that online presence is a “must” for all serious businesses, the performance of their online assets has also become increasingly important. Having that in mind, one of the main concerns about web performance is how to make a user’s online experience pleasant but safe at the same time. Only being present online is just not enough anymore and a business web presence needs to add value for its customers. Beside quality content and user experience, online security is a key factor along with delivery speed.
A great and safe online experience requires trusted third parties and a good encryption, which is the main reason why HyperText Transfer Protocol Secured (HTTPS) was implemented. For quite some time HTTPS was considered the “slow but safe” way of delivering online services.
How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%
Tweet this: HTTPS is no longer the “slow but safe” way for online services
Times have changed, and in order to fully understand the new advantages of HTTPS it’s important to know the differences between HTTP and HTTPS.
HTTP: The Protocol
At the start of the Internet era, network administrators wanted to find a simple way to share information they put online. They agreed on a procedure for exchanging information called HyperText Transfer Protocol (HTTP).
Now, HTTP is an “application layer protocol,” which means that it focuses on presenting the information to the user and doesn’t really care how the data gets from sender to receiver. Also, it’s “stateless” which means it doesn’t attempt to remember anything about previous web sessions. The main benefit to being stateless it that there is less data to send, which results in increased speed.
Tweet this: HTTP is stateless – doesn’t remember anything about previous web sessions
HTTP is most commonly used to access HTML pages, but other resources too can be utilized through HTTP access. Usually, websites which don’t handle confidential information would setup their websites like that.
HTTPS: The Safe Protocol
If you visit an online merchant you’ll notice the address bar says HTTPS instead of HTTP. It means the website is using a HyperText Transfer Protocol Secure (HTTPS) instead of a usual HTTP. The “secure http”, was developed to allow authorization and secured transactions. Exchanging confidential information requires safe procedures in order to prevent unauthorized access, and this is where HTTPS jumps in. It works in conjunction with another protocol, the Secure Sockets Layer (SSL), to transport data safely.
By doing so, the computers agree on a “code” between them, and then encrypt the messages using that “code” so nobody between can access them. They use the “code” on a Secure Sockets Layer (SSL), sometimes referred as Transport Layer Security (TLS), to exchange information. This keeps information safe from intruders.
In many ways, HTTPS is identical to HTTP as it follows the same basic protocols. However, if a client (e.g. Web browser) establishes a connection to a server on a standard port, HTTPS offers an extra layer of security because it uses SSL.
To get a bit more detailed, data sent using HTTPS and secured via TLS provides three key layers of protection:
- Encryption of data to keep it secure
- Data Integrity as it cannot be modified or corrupted during the transfer without being detected
- Authentication which makes sure users communicate safely with the intended website
Tweet this: TLS key protection layers: Encryption, Data Integrity and Authentication
Both HTTP and HTTPS don’t really care how the data gets delivered. While, on the other hand, SSL doesn’t care what the data looks like.
That is why HTTPS combines the best of both segments. It gives importance to what the user gets visual access, but also provides an extra layer of security when moving data from sender to receiver.
Is HTTPS Faster Than Ever?
A recent tweet and a follow-up blog post, claimed a massive HTTPS speed advantage over classic HTTP. It used the httpvshttps.com site to compare the two protocols which pointed out that HTTPS was actually 80% faster than it’s “non-safe” counterpart (we got 90% when we ran the test on the site).
Tweet this: HTTP/2 and TLS improvements made HTTPS faster than ever
Although the results are staggering, further reading points out how it’s mostly due to HTTP/2, the updated version of HTTP over which the HTTPS operates, that allow such high level performances (the site compared an old HTTP protocol to the new HTTPS operating over HTTP/2). It’s true that HTTPS will only be faster when using HTTP/2, but on the other hand you cannot use HTTP/2 without using HTTPS.
In the past, there might have been some increased latencies due to HTTPS requiring more procedures to be executed. However, with best practices in place like early termination, cache-control and HTTP/2, factors such as the latency of the TLS handshake and additional roundtrips are becoming things of the past. Newer protocols, better hardware, and faster connections are making up for the delays and enabled delivery of high speed website performances over HTTPS thus making the “slow but safe” description completely obsolete.
To break it down, in the past HTTPS’ security component was a traffic “bottleneck” which caused delays. Today the TLS segment is able to follow through all the speed requirements and enables the HTTPS protocol to deliver high-end performance.
It’s safe to claim that HTTPS got faster than ever but it’s mainly because of the underlying HTTP/2 and notable TLS performance improvements over the years.
Improving HTTPS Performance
There are a few things to do in order to cancel out delays and improve HTTPS performance. Mainly it’s about implementing early termination, caching and utilizing HTTP/2. Here’s a list of possible HTTPS improvements:
- HTTP Strict Transport Security
- Cache-Control
- Early Termination
- OCSP Stapling
- HTTP/2
- HPACK Compression
- Brotli
Also, this article by KeyCDN can give you deeper insights into HTTPS performance improvements.
The earlier mentioned blog post described a way to reach HTTP/2 speed even if the origin website works with an older protocol (e.g. HTTP/1.1) by “wrapping” the site with a content delivery network. Then, if requests are directed to a domain which can’t talk HTTP/2, the protocol can be returned as “h2” (which is the identifier for HTTPS over HTTP/2), because all requests get routed through a CDN which can talk “h2”. Of course if the CDN needs to pull content from an origin that doesn’t talk “h2” then there might still be a minor bottleneck in the connection, but many requests won’t come from the origin anyway as most traffic gets served directly from cache. The ability of a CDN to deliver over “h2” makes a significant impact to speeds even when the origin is deployed with older protocols.
Conclusion
HTTPS is here, and it’s here to stay. The SSL performance impact is not as important as it used to be. The web is definitely moving in a new direction and TLS handshakes and certificates are no longer slowing down web performance. The are lots of methods to even further improve your HTTPS performance and reduce overhead.
Also, since recently price was a big factor when it came to considering migration to HTTPS. But today the costs associated with purchasing SSL certificates have significantly dropped. For instance, KeyCDN’s recent integration with Let’s Encrypt allows customers to deploy HTTPS with a custom zonealias for free (as they pointed out in a recent blog post about HTTPS performance). It’s safe to say that this trend is taking the price factor out of the equation for most customers.
Transition to HTTPS is also recommended as SEO practice and in order to keep up with Google as it gives a slight boost to your site.
To sum up, if you wanna go fast, serve content over HTTPS using HTTP/2. Of course we always recommend adequate testing considering your needs as different setups and environments can vary. For any further questions on the topic, feel free to contact our experts at GlobalDots as they can help you boost your web assets performances.