101 on HTTPS Web Site Performance Impact
I recently analyzed a secure web page that took 20 seconds till the onLoad event triggered. Once on the site – interacting with the site was slow as well - especially when dealing with dynamic content like the auto completion for the search field or dynamic popup menus.
The site had no fancy images, no animations or heavy JavaScript during startup. It turned out that 70% of the time was spent in SSL handshaking. With a simple change on the web server the 14 seconds could be trimmed down to 2. Before explaining this exact problem lets start with some background and then lets see what can go wrong with HTTPS web site.
HTTP vs. HTTPS
Secure connections in web applications are a necessity when dealing with sensitive data such as your financial information in your online banking system or your customer data in your online CRM. To secure the transferred content between your web server and the browser you use HTTPS. There is obviously overhead involved when establishing a secure connection vs a plain HTTP connection. In order to keep the overhead as low as possible for your web site you have to understand some of the underlying basics.
What it takes to download secure content by the browser?
Every browser has multiple physical connections per domain that are used to download the initial HTML page and then all the referenced embedded objects. The number of physical connection depends on the browser version. Each physical connection needs to establish the connection to the web server. In case it is a secure connection it requires an SSL Handshake as explained in the following blog post: The SSL Handshake.
As long as the connection is kept alive – secure communication is possible without additional handshaking. Once a connection is closed (e.g.: forced by the server) the browser needs to reconnect for the next request including the costly SSL Handshake.
The browser is also using different physical connections for different domains – meaning – that static content (images, scripts, css, …) that is delivered from a different domain must establish its own connection. If these objects are also served secure (intentional or not) you have to deal with the extra handshake cost.
Lets have a look at a sample page and all its depending requests and lets see how many SSL handshakes are necessary:
https://www.mydomain.com -> 1st phys. connection on www.mydomain.com – 1st handshake
https://www.mydomain.com/logo.png -> reuse 1st phys. connection -> no handshake
https://www.mydomain.com/background.png -> 2nd phys. connection to www.mydomain.com – 2nd handshake
https://image1.mydomain.com/image1.gif -> 1st phys connection on image1.mydomain.com -> 3rd handshake
https://image1.mydomain.com/image2.gif -> 2nd phys connection on image1.mydomain.com -> 4th handshake
https://image1.mydomain.com/image3.gif -> reuse 1st phys connection -> no handshake
https://ssl.google-analytics/siteopt.js=… -> 1st phys connection on ssl.google-analytics.com -> 5th handshake
https://scripts.mycdn.com/main.js -> 1st phys connection on scripts.mycdn.com -> 6th handshake
…
I guess you see that there is a lot of handshaking going on that you may not be aware of. The example above shows a browser with 2 physical connections. In case you deal with a browser that uses more than 2 connections, image3.gif would also need do an SSL handshake.
Considerations when using HTTPS
There are different things to consider in order to not run into HTTPS related performance problems. Some of these considerations are also valid for non HTTPS applications but result in a higher performance hit due to the handshaking overhead. The problem that I described in the intro section boiled down to be caused by the web server that forced the browser to close the connection after every request resulting in SSL handshakes for every request that was still to come. There are other – more generic things that you should consider that can speed up your website performance. Let’s take a closer look by starting with the problem I had.
Use Connection Keep-Alive
Using the dynaTrace AJAX Edition I analyzed the URL in question and was surprised to see the following Summary View
dynaTrace AJAX Edition Summary View
The Page Load Time column tells me the time until the onLoad event was triggered for this URL. The Network Pie Chart shows me all the network activity on that page (also activity that happened after the onLoad event was triggered) divided into Connection Time, Server Busy and actual Transfer time. And this is where it gets interesting. On the total page I had 24 seconds spent in establishing the physical network connection. Why is that? How can an SSL handshake take that long?
Drilling from here into the Network View showed me each individual Network Request and how much time was spent on the individual tasks (Connect, Transfer, Server, Wait):
dynaTrace AJAX Edition Network View
This view shows me that almost every request (except those that came from the local browser cache) had to take a huge hit in network connection time. The connection time for each single network request ranges from 0.5 to 1.1 seconds. If you sum that up you get to the very slow page load time. But why is that?
Looking at the HTTP request details you can see that the web server responded with Connection: close instead of keep-alive. This forces the browser to close the physical connection after the request and requires the next request to re-establish the connection (including the costly SSL handshake). This is true for all the requests to load the initial page as well as all requests triggered by JavaScript (AJAX) when modifying the page (loading dynamic menus or requesting auto complete when typing search keywords).
The solution to this problem is to enable connection keep-alive on the web server so that the browser can send subsequent requests on the same established SSL connection.
General Optimization Rules
There are many general optimization rules that obviously help here as well. Like – limiting the number of web requests, using CDNs (Content Delivery Networks), using client side caching, avoid redirects, …
For a complete list check out the Best Practices for Speeding Up Your Web Site
Use Domain Sharding for HTTPS scenarios?
One concept to overcome the physical connection limit of browsers is Domain Sharding. If you have many embedded objects like images, style sheets or java script files it is a common practice to put these on a separate domain. The browser will then have another set of physical connections to download the content from these domains. The problem with secure content is that every physical connection that is opened needs to do the expensive SSL handshake – therefore resulting in higher page load time. So – you want to be careful with that.
Suggestions?
What are your thoughts on that topic? What about using mixed content? Meaning – using HTTPS for secure content and HTTP for unsecure content (like images, scripts …) on the same page? You probably end up with many warning messages in the browser – but would this be something to accept to gain faster page speed? Let me know your thoughts.
[...] This post was mentioned on Twitter by dynaTrace software and Franz See, Tomaž Muraus. Tomaž Muraus said: 101 on HTTPS Web Site Performance Impact http://bit.ly/4qACXs #web #http #https [...]
[...] The rest is here: 101 on HTTPS Web Site Performance Impact Performance, Scalability … [...]
[...] 101 on HTTPS Web Site Performance Impact Performance, Scalability … [...]
Interesting, thanks for the post.
Domain Sharding? If the images and other static files are put in a different domain using only http, wouldn’t the https page complains about Mixed secure content? That’s gonna be ugly.
@Henry
You are correct – it’s a bit ugly. thats why I raised that question at the end of my blog. I am hoping for feedback from you out there with alternative suggestions. any ideas besides those points that I listed?
[...] 101 on HTTPS Web Site Performance Impact Performance, Scalability … [...]
We needed to address this very issue not too long ago and it amazes me that more hasn’t been written about HTTPS page performance so it good to see it raised here. I did a lot of research looking for help on this issue but there’s not a lot out there. Eventually came across a website accelerator called Aptimize and trialled it on our https pages – amazing acceleration for both our HTTP and HTTPS pages. Had read about domain shading but increase page load speed was a priority for us.
[...] 101 on HTTPS Web Site Performance Impact Performance, Scalability … [...]
101 on HTTPS Web Site Performance Impact…
Thank you for submitting this cool story – Trackback from DotNetShoutout…
If you are using Apache you can get around those additional handshakes by using SSL session caching:
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslsessioncache
Where this can become an issue is if you have more than one machine serving content. One solution is to use distcache to distribute the SSL sessions to every machine:
http://distcache.sourceforge.net/
A lot of modern hardware and software load balancers can also handle SSL session caching.
SSL handshake time depends on SSL cypher algorithm you use. It’s possible to use different certificate (with lesser cyphering quality but still using HTTPS) to reduce SSL handshaking time from one hand and get rid of browser wranings from the other.
There is something missing in HTML5 – signed content.
There are a lot of data which are not required to be secure/private/encrypt but trusted. These data can be cached and transfer using plain HTTP.
It could be done by digital signing using PGP or MD5 or else.
For example,
browser will run a JS only if it is signed.
information / announcement from Bank/Gov
If it happen, data needed to transfer in HTTPS could be minimized. Trusted HTML & JS, with classified data can be JSON via HTTPS.
[...] 101 on HTTPS Web Site Performance Impact Performance, Scalability and Architecture – Java and .NET…blog.dynatrace.com [...]
Cookies are shared between http and https connections. This means you need to take care not to request anything from the same cookie domain, as it would reveal you cookies to the world.
@Tamas: Cookies with attribute “Secure” will not be shared beetween http/https connections so this is not an argument. Anyway – using http content on https is not an option (security warnings = tons of user complains).
@Thrull:
You know it, I know it, but by default eg. tomcat does not set the session cookie as secure, thus they are shared.
I agree with you; it is better not annoy the user with useless warnings.
You can combine all your images into one image file and use CSS sprites to display them.
http://css-tricks.com/css-sprites/
In fact mixed content one one page isn’t a good idea either. To be more exact, it’s really bad when your visitors/users are not technicians as browser alerts make them feel unprotected. My suggestion is to embed graphics into HTML or use CSS sprites on HTTPS pages. Also it makes sense to cut out graphic design from secure pages.
[...] The network times should be split up into wait time (the delay until a browser connection available), DNS lookup time, transfer time and server time. This is especially useful in diagnosing network related problems. Further we want to see HTTP Headesr to find improper caching configuration or problems like HTTPS related connection problems. [...]
You know, i was really impress by your article. It is what i need. Thanks so much for what you have shared.
[...] Network Resource Issues: 101 on HTTPs Web Site Performance Impact [...]
[...] For completeness: We also see DNS Time and Connect Time. DNS Time is the time it takes to lookup a domain name. If you embed resources from many different domains this might become a problem. This is often seen on sites that host multiple external ads or include scripts from different external locations. Connect Time is the time it takes to establish a physical connection to the server. This depends on the number of domains involved as well as whether you use HTTP or HTTPS. The HTTPS Handshake is accounted to the Connect Time. For more information on HTTP/HTTPS overhead check out my blog about 101 on HTTPS Performance Impact [...]
Création site internet bretagne…
Merci pour cet article intéressant. Bien à vous…….
This is my first time i visit have visited here. I found many interesting stuffs in your article. Well-done!
Awesome Review. HTTP is more popular because it has more advantages.
Freelance web designer
Your blogs has lots of information, thank you.
generic viagra
viagra generic
Awesome Reviews dude. HTTP is more popular because it has more advantages than https. Logical? Maybe but one has to think before acting so to speak.
best regards from antony,
betalningsanmärkningar
Very nice and informative post keep sharing
Really nice blog, very informative. Thanks dude for wonderful posting. Keep it up in the future as well.
This is really a nice stuff and reviews. Thank for sharing. As per my opinion https is more secure than http.
Norway
Amazing stuff and info. Thanks for sharing with me. In my opinion https is way more secure than http. Then again, Im not an expert though. Im from Norway
If HTTPS is more secure than HTTP, why don’t more companies and sites use it?
Informative post. HTTPS , they just require a slow handshake at the initial stage. The encryption or decryption will be a bit slower in HTTPS.
Really useful information. May I publish on my website?
@Hakan: sure – go ahead
This is especially useful in diagnosing network related problems. Further we want to see HTTP Headesr to find improper caching configuration or problems like HTTPS related connection problems… thanks
Connect Time is the time it takes to establish a physical connection to the server. This depends on the number of domains involved as well as whether you use HTTP or HTTPS
You can combined all your site images in a same folder and then use CSS to display the images.
Does it mean resources have identical contents, but are served from different URLs ?
Cookies are shared between http and https connections. This means you need to take care not to request anything from the same cookie domain, as it would reveal you cookies to the world.
Thanks for explaining how browsers download data and the number of connections required to do this. Is this what they change when they release new browsers like IE8 and Google Chrome?
Yeah-the number of physical connections is different between browser versions. From a best practice perspective it is important to test your page load times with the most popular browsers
Hi, Nice idea,good things, There are many people searching about that,now they will find enough sources by your post.
nice,
inspirational
thank you
I am very thank you to share this article,it’s very good,I hope you can split more,and I will carry on to read,thanks!
I had no idea that HTTPS could make such a difference to website performance
[...] If you need to maintain session information across the whole site take a close look at your reasons for mixing http and https… do you have external resources that are served over http? Well you can use a proxy for that. Is it due to performance reasons? The handshake is the most expensive part, so minimize the number of handshakes and you should be doing ok. There’s good information to be found on the mod_ssl page (read the section on cach settings). There’s also a really nice writeup with lots of helpful links and useful comments on this blog post from DynaTrace. [...]
[...] This is especially useful in diagnosing network related problems. Further we want to see HTTP Headers to find improper caching configuration or problems like HTTPS related connection problems. [...]
Very nice sharing,thanks a lot.
Google makes me sick with his https. I can’t get my keywords anymore ><
interpretation des rêves
I Am Going To have to come back again whenever my course load lets up – nevertheless I am getting your Rss feed so i can read your site offline. Thanks.
Useful information like this one must be kept and maintained so I will put this one on my bookmark list! Thanks for this wonderful post and hopping to post more of this. ceiling fan with lights
You can only perceive real beauty in a person as they get older.
You produce a great point in your own final paragraph. We couldn’t agree more together with your points. In today’s modern world, your approach to this issue is lacking in today’s kids. We need to ensure that our kids find out more on this topic so we never lose our ways.
website design new york
결혼이란거 완전골깐다 나도 결혼준비해야하는데 환장하겟음 돈도 들이기 싫고 시간도 들이기 싫고 웨딩사진은 죽어도 찍기싫고 상대방은 나보다 더 넌더리를 냄
Good – I should definitely say I’m impressed with your blog. I had no trouble navigating through all the tabs as well as related info. The site ended up being truly simple to access. Excellent job..
Great job. Well with your permission allow me to grab your rss feed to keep up to date with incoming post. Thanks a million and please keep up the delightful work.
This is my action web apportionment. The postings are really single and also out perpendicular executing with the new creativeness and Personage with the new uncongenial ideas and concepts. Really I am ready for whatsoever overmuch new posts from you. Fix up your Excellency.
Took a lot of time to read but I really found this very interesting and informative, thank you buddy for sharing.
Nice post..very helpful for us..thanks for sharing us.