{"id":668230,"date":"2018-05-15T14:00:56","date_gmt":"2018-05-15T12:00:56","guid":{"rendered":"https:\/\/wp-rocket.me\/?p=668230"},"modified":"2022-02-25T16:42:48","modified_gmt":"2022-02-25T15:42:48","slug":"https-affects-website-performance","status":"publish","type":"post","link":"https:\/\/wp-rocket.me\/blog\/https-affects-website-performance\/","title":{"rendered":"How HTTPS Affects Website Performance"},"content":{"rendered":"

The \u201cS\u201d in HTTPS stands for \u201csecure\u201d and that security is provided by SSL (aka TLS). It makes sense that you\u2019d want to secure your site, right? After all, there are up to 90,000 attacks on WordPress sites every minute<\/a>.<\/p>\n

But for some reason, there\u2019s a pervasive myth that SSL is slow. That installing an SSL certificate on your site will introduce too much overhead and slow things down. That might\u2019ve been the case more than a decade ago, but this is 2018 and Google searches are now all done over HTTPS by default for 40,000 search queries per second.<\/p>\n

In fact, when Google switched to HTTPS for everything by default, the search giant didn\u2019t deploy additional machines or special hardware. Senior Staff Software Engineer Adam Langley who works on Google’s HTTPS serving infrastructure and Chrome’s network stack writes that<\/a> SSL has limited impact on web performance:<\/p>\n

On our production front-end machines, SSL\/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead.<\/p><\/blockquote>\n

If Google can implement SSL, you can too. Plus, you kind of have to \u2013 from July when Chrome 68 is released<\/a>, websites that are not using HTTPS will be labeled as \u201cnot secure\u201d in the address bar.<\/p>\n

In this post, we\u2019ll take a look at how HTTPS affects website performance, as well as a few tips on how you can improve HTTPS performance for your site.<\/p>\n

What\u2019s the Difference Between SSL and TLS?<\/h2>\n

But first, you might be wondering what the difference is between SSL (Secure Socket Layer) and TLS (Transport Layer Security). Interestingly, there is no difference.<\/p>\n

TLS was introduced as the successor to SSL 3.0 in 1999 and was designed to resolve insecurities in the SSL protocol.<\/p>\n

So why do people still say SSL instead of TLS after all this time?<\/p>\n

People in the security industry like SSL so much that they continued to use the acronym and still do to this day. Companies like Comodo didn\u2019t change the name of SSL certificates<\/a> to TLS certificates. Software that enables SSL on a server, such as OpenSSL, didn\u2019t change their name to OpenTLS. The name SSL was ingrained and just stuck.<\/p>\n

As for renaming the SSL protocol, it seems it was for political rather than technical reasons. Tim Dierks, the Director of Data Protection at Google writes that<\/a> in the mid-90s during the Netscape and Microsoft browser wars, there was a lot of bargaining involved while developing the SSL protocol and \u2013 ultimately \u2013 leadership (and ownership) of the standard:<\/p>\n

As a part of the horsetrading, we had to make some changes to SSL 3.0 (so it wouldn’t look the [Internet Engineering Task Force<\/a>] IETF was just rubberstamping Netscape’s protocol), and we had to rename the protocol (for the same reason). And thus was born TLS 1.0 (which was really SSL 3.1). And of course, now, in retrospect, the whole thing looks silly.<\/p><\/blockquote>\n

And thus TLS was born. But everyone continued to say SSL anyway.<\/p>\n

Note: For the rest of this post, I\u2019ll use SSL and TSL interchangeably.<\/em><\/p>\n

HTTP vs HTTPS?<\/h2>\n

HTTP stands for Hypertext Transfer Protocol<\/strong>. When you enter a URL in your address bar preceded by http:\/\/ it tells the browser to connect to the website via HTTP. In turn, HTTP uses the Transmission Control Protocol (TCP) to send and receive data packets over the web to load the site you want to access.<\/p>\n

HTTPS stands for Hypertext Transfer Protocol Secure<\/strong>. When you enter a URL preceded by https:\/\/ it tells the browser to connect via HTTPS, which also uses TCP. But it does so within a connection encrypted by TLS.<\/p>\n

Basically, it takes the HTTP protocol and simply layers a TLS encryption layer on top of it. Servers and clients still communicate exactly the same HTTP to each other, but over a secure TLS connection that encrypts and decrypts their requests and responses.<\/p>\n

The SSL layer has two main purposes<\/a>:<\/p>\n