HTTPS vs. HTTP performance

(Reference: 78911734 52469787 http://www.jb51.net/article/134653.htm)

1 Preface

HTTPS plays a key role in protecting user privacy and preventing traffic hijacking, but at the same time, HTTPS also reduces user access and increases the computing resource consumption of the Web server.

This article mainly describes the impact of HTTPS on the user experience.

2 Concepts and differences between HTTP and HTTPS

(1) HTTPS (full name: Hypertext Transfer Protocol over secure Socket Layer), is a security-targeted HTTP channel, simply speaking is the security version of HTTP. That is, the SSL layer is added under HTTP, the security base of HTTPS is SSL, so the detailed content of encryption needs SSL. It is a URI scheme (abstract identifier system) with syntax similar to http: System. For secure HTTP data transfer. Https:url indicates that it uses HTTP, but HTTPS has a different default port than HTTP and an encryption/authentication layer (between HTTP and TCP). The initial development of the system, conducted by Netscape, provides an authentication and encryption method of communication, which is now widely used in security-sensitive communications on the World Wide Web, such as transaction payments.

(2) Hypertext Transfer Protocol (Http-hypertext Transfer Protocol) is a detailed regulation of the browser and the World Wide Web server communication between the rules, through the Internet to transmit the World Wide Web document data Transfer Protocol.

(3) The HTTPS protocol requires a certificate to the CA, the general free certificate is very small and requires a fee.

HTTP is a Hypertext Transfer Protocol, the information is plaintext transmission, HTTPS is a secure SSL encryption transport protocol

HTTP and HTTPS use a completely different connection, the same port, the former is 80, the latter is 443.

HTTP connection is simple, stateless, HTTPS protocol is built by the SSL+HTTP protocol can be encrypted transmission, authentication network protocol, than the HTTP protocol security

3 The impact of HTTPS on access speed

Before introducing the speed optimization strategy, let's look at the effect of HTTPS on speed. The impact comes from two main aspects:

The network RTT (round trip Time) added by the protocol interaction.
The computation time of the encryption and decryption related.
Here's a look at each.

3.1 Network time-consuming increase

Because both HTTP and HTTPS require DNS resolution, and in most cases the DNS cache is used, in order to highlight the contrast, the DNS resolution time of the primary domain name is ignored.

When a user accesses http://www.baidu.com (or www.baidu.com) using the HTTP protocol, the interaction on the following network takes time:

Figure 1 The network time-consuming HTTP first request

It can be seen that the user only needs to complete the TCP three handshake to establish a TCP connection to send HTTP requests directly to get application layer data, and there is no need to consume computing resources throughout the visit.

Next look at the HTTPS access process, compared to HTTP is much more complex, in some scenarios, using HTTPS access may increase 7 RTT. Such as:

Figure 2 The effect of HTTPS first request on access speed

HTTP time-consuming = TCP handshake

HTTPS time consuming = TCP handshake + SSL handshake

The network time required for HTTPS first time requests is explained as follows:

1, three handshake to establish a TCP connection. Time consuming a RTT.
2, using HTTP to initiate a GET request, the server returned 302 jump to https://www.baidu.com. Requires a RTT and 302 jump delay.
A) In most cases the user does not manually enter https://www.baidu.com to access HTTPS, and the server can only return 302 to force the browser to jump to HTTPS.
b) Browser processing 302 jump also takes time.
3, three handshake re-establishes the TCP connection. Time consuming a RTT.
A) 302 after jumping to the HTTPS server, due to different ports and servers, a three-time handshake is required to establish a TCP connection.
4, TLS full handshake phase one. Time consuming at least one RTT.
A) This phase is primarily the completion of cryptographic suite negotiation and certification of authentication.
b) The server and browser will negotiate the same key exchange algorithm, symmetric encryption algorithm, content consistency check algorithm, certificate signature algorithm, Elliptic curve (non-ECC algorithm does not need) and so on.
c) The validity of the certificate required by the browser after obtaining it, such as whether it has expired or revoked.
5, resolves the DNS for the CA site. Time consuming a RTT.
A) After the browser obtains the certificate, it may be necessary to initiate OCSP or CRL requests to query the certificate status.
b) The browser first obtains the CA domain name in the certificate.
c) If the cache is not hit, the browser needs to resolve DNS for the CA domain name.
6, three times the handshake establishes a TCP connection to the CA site. Time consuming a RTT.
A) after DNS resolves to IP, it is necessary to complete the three handshake to establish a TCP connection.
7, initiate the OCSP request and get the response. Time consuming a RTT.
8, full handshake phase two, time consuming a RTT and calculation times.
A) Full handshake phase Two is primarily key negotiation.
9, after the full handshake, the application layer (i.e. HTTP) data transfer between the browser and the server.

Of course not every request requires an additional 7 RTT to complete the HTTPS first request interaction. Only less than 0.01% of requests are likely to undergo these steps, and they need to meet the following criteria:

1, must be the first request. That is, the first request initiated after a TCP connection is established, and subsequent requests on that connection do not need to occur again.
2, a full handshake must occur, while 80% of the requests under normal circumstances can achieve a simplified handshake.
3, the browser needs to turn on OCSP or CRL functionality. Chrome turns off the OCSP feature by default, and Firefox and IE are turned on by default.
4, the browser does not hit the OCSP cache. The general update period for OCSP is 7 days, and the query period for Firefox is 7 days, which means that the OCSP query will occur in 7 days.
5, the browser does not hit the DNS cache of the CA site. The DNS of the CA is resolved only if the DNS cache is in a dead state.

3.2 Calculation time-consuming increase

The last section simply describes the time consuming the pure network that must be consumed on the HTTPS critical path, does not include CPU-intensive computation time-consuming, in fact, the computation time is not small (more than 30ms), from the browser and server perspective, respectively:

1, browser calculation time-consuming
A) RSA certificate signature Verification, the browser needs to decrypt the signature, calculate the certificate hash value. If there are multiple certificate chains, the browser needs to validate multiple certificates.
b) RSA key exchange requires the use of the certificate public key encryption Premaster. Time consuming is small, but if the phone performance is poor, it may also take 1ms.
c) ECC key exchange, you need to calculate the public private key of the elliptic curve.
d) ECC key Exchange requires the use of the certificate public key to decrypt the ECC public key that is sent by the server.
e) ECC key exchange requires that master key be computed based on the server's public key.
f) Application layer data symmetry and decryption.
g) Application layer data consistency check.
2, service-side calculation time-consuming
A) RSA key exchange requires the use of the certificate private key to decrypt the premaster. This process is very performance-intensive.
b) When ECC key exchange, it is necessary to calculate the public private key of elliptic curve.
c) ECC key Exchange requires the use of the certificate private key to encrypt the ECC public key.
d) for ECC key exchange, the shared master key needs to be computed based on the browser's public key.
e) Application layer data symmetric plus decryption.
f) Application layer data consistency check.

Because the CPU and operating system of the client are quite different, the computation time is not generalize. The HTTPS calculation on the mobile phone will compare the consumption performance, the simple calculation increases the delay at least above 50ms. The PC side also increases the calculation delay by at least 10ms.

Server performance is generally strong, but because the RSA certificate private key length is much larger than the client, so the computing latency of the service side will be more than 5ms.

4 http and HTTPS pros and cons 4.1 HTTPS advantages:

Security aspects

In the current technical context, HTTPS is the most secure solution under the current architecture, with the following benefits:

1, the use of HTTPS protocol can authenticate users and servers, to ensure that the data sent to the correct client and server;
2, HTTPS protocol is built by the SSL+HTTP protocol can be encrypted transmission, identity authentication network protocol, than the HTTP protocol security, can prevent the data in the transmission process is not stolen, change, to ensure the integrity of the data.
3, HTTPS is the most secure solution under the current architecture, although not absolute security, but it greatly increased the cost of man-in-the-middle attack.

Disadvantages of 4.2 https:

Technical aspects

1, the same network environment, the HTTPS protocol will increase the load time of the page by nearly 50%, increasing the power consumption of 10% to 20%. In addition, the HTTPS protocol affects caching, increasing data overhead and power consumption.

2, HTTPS protocol security is a range, in the hacker attacks, denial of service attacks, server hijacking and so on almost no role.
3, the most critical, SSL certificate of the credit chain system is not secure. In particular, in cases where the CA root certificate can be controlled by some countries, a man-in-the-middle attack is as feasible.

Cost aspects

1, the SSL professional certificate needs to purchase, the more powerful the certificate cost is higher. Personal sites, small sites can choose the entry-level free certificate.
2, SSL certificate usually need to bind fixed IP, add a fixed IP to the server will increase a certain cost;
3, HTTPS connection server-side resource consumption is much higher, the same load will increase the bandwidth and server input costs;
Since HTTPS has so many shortcomings, it is not should not be done, of course, with the development of technology many shortcomings can be optimized and made up. Like what:
Open speed problem can be solved by CDN acceleration, many IDC is also launching the free certificate and one-stop HTTPS building services, the cost of HTTPS will be greatly reduced in the future!

5 do we want to do https anyway?

Research found that most people on the wait-and-see attitude to HTTPS, they are recognized for HTTPS security, but from all levels of consideration, made the current do not do HTTPS website decision, mainly has the following two kinds of views:

Affirmative view

1, HTTPS has better encryption performance, to avoid user information leakage;
2, HTTPS complex transmission mode, reduce the risk of website hijacking;
3, the search engine has fully supported HTTPS crawl, ingest, and will give priority to display HTTPS results;
4, from a security point of view, personal feel to do https, but HTTPS can be used to display after login;
5, HTTPS green lock indicates that users can increase the trust level of the website;
6, the basic cost can be controlled, the certificate and the server has a molding support program;
7, the website loading speed can be made up by means of CDN, but security can not be neglected;
8, HTTPS is the development trend of the network, sooner or later to do;
9, can effectively prevent the cottage, mirror the site;

Opposing views

1, HTTPS will reduce user access speed, increase the Site Server computing resource consumption;
2, the current search engine is only a small portion of HTTPS content, should maintain a wait-and-see system;
3, HTTPS need to apply for encryption protocol, increase the operating costs;
4, Baidu's current priority on HTTPS display effect is not obvious, Google is more obvious;
5, the technical threshold is higher, do not know;
6, the current site does not involve private information, without HTTPS;
7, compatibility needs to be improved, such as robots not support/Alliance ads do not support;
8, HTTPS website security degree is limited, should be black or black;
9, HTTPS maintenance is more troublesome, in the search engine support HTTP situation, no need to do https;

1, HTTPS performance loss

This article discusses the principles and advantages of https: Authentication, information encryption and integrity checking, and does not make any modifications to the TCP and HTTP protocols. But by adding new protocols to achieve more secure communications, there is a cost, and the performance loss of the HTTPS protocol is mainly reflected in the following:
(1). Increase delay
Analysis of the previous handshake process, a full handshake requires at least two times back and forth of the two ends of the communication, at least increase the delay of the RTT, using session caching to reuse the connection, delay is at least 1* rtt*.
(2). Consume more CPU resources
In addition to data transmission, HTTPS communication mainly includes symmetric plus decryption, asymmetric plus decryption (the server mainly uses private key to decrypt data); TS8 single core CPU: Symmetric encryption algorithm aes-cbc-256 throughput 600Mbps, asymmetric RSA private key decryption 200 times/s. Regardless of other software-level overhead, 10G network adapter for symmetric encryption needs to consume about 17 cores of CPU, 24-core CPU access to HTTPS connection 4800;
Static node the current 10G network card TS8 model of the HTTP single-access capacity of about 10w/s, if all the HTTP connection into an HTTPS connection, the obvious RSA decryption is the first bottleneck. Therefore, the decryption capability of RSA is the main problem of the current disturbing HTTPS access.

2, HTTPS access optimization

(1). CDN Access
HTTPS increased delay is mainly the transmission delay Rtt,rtt is characterized by a smaller node delay, the CDN natural away from the user recently, so choose to use the CDN as an entry for HTTPS access, will be able to greatly reduce the access delay. The CDN node greatly reduces the latency caused by HTTPS by maintaining a controllable method such as long connection, session multiplexing, and link quality optimization for the Business Server.
(2). Session Caching
Although the previous reference to HTTPS even with the session cache must be at least 1*rtt delay, but at least the delay has been reduced to the original half, obvious delay optimization; At the same time, the HTTPS connection based on the session cache does not require the server to decrypt the RSA private key to obtain pre-master information. Can eliminate the CPU consumption. If the business access connection is set and the cache hit ratio is high, HTTPS's access capability is significantly increased. The current TRP platform cache hit rate peak time greater than 30%,10k/s access resources can actually carry 13k/access, the results are very impressive.
(3). Hardware Acceleration
Install a dedicated SSL hardware accelerator card for the Access server, acting like a GPU, freeing up the CPU and being able to have higher HTTPS access without impacting business processes. Testing a hardware accelerator card can provide 35k decryption capacity, equivalent to 175 core CPU, at least 7 24-core server, considering the cost of Access server other programs, a hardware card can achieve access to nearly 10 servers.
(4). Remote Decryption
Local access consumes too much CPU resources, waste network cards and hard disk resources, consider the most CPU-intensive RSA Decryption computing task to other servers, so you can fully play the server's access, make full use of bandwidth and network card resources. The remote decryption server can choose a machine with low CPU load to perform machine resource reuse, or it can be a server dedicated to optimizing high computational performance. Today is also one of the solutions for large-scale HTTPS access for CDNs.
(5). SPDY/HTTP2
The previous method improves the HTTPS access performance from the method of reducing transmission delay and single load, but the method is based on the optimization method which does not change the HTTP protocol, SPDY/HTTP2 uses the advantages of TLS/SSL, and improves the performance of HTTPS by modifying the protocol method. Increase download speed and more.

HTTPS vs. HTTP performance