[HTTPS-Everywhere] -1
Chris Palmer
chris at noncombatant.org
Sun Oct 17 13:36:28 PDT 2010
Evan Prodromou writes:
> But if everyone used HTTPS-everywhere to access our servers, it would
> mean we'd have to shut down our service for everyone.
The keys to good HTTPS performance are very similar to the keys to good HTTP
performance. I have done a lot of HTTP(S) performance testing, in my (very
recently) previous life as a security engineer. People like Evan would
always come back with these performance concerns when we advised them to use
HTTPS exclusively, so I would have to have a solid answer as to why using
HTTPS only is possible. (Securely using mixed content, or securely
transitioning from HTTP to HTTPS in the same session, is FAR more difficult
than optimizing HTTPS. It's effectively impossible.)
In my experience, people who complain about HTTPS performance universally
(yes, universally) have unnecessarily poor HTTP performance: pages too
large, too many items per page, lack of persistent connections, too many DNS
lookups, heavy-weight JavaScript, unoptimized HTML and CSS, and so on. You
really don't need Google Magic to achieve good HTTPS performance; you can
get great performance by just tightening loose bolts. Google's magic is
really just that they know how to tighten a few more bolts than normal
engineers. I just finished a short stint as a Google engineer, and I was
delighted to see that the server team's advice to web app developers is that
HTTPS performance is no longer a design consideration. It's not magic, just
a lot of tightened bolts.
I gave a talk on this topic at Web 2.0 Expo in 2009:
http://www.web2expo.com/webexsf2009/public/schedule/detail/5931
In particular, pay attention to the Gmail performance blog post that I
referred to:
http://gmailblog.blogspot.com/2008/05/need-for-speed-path-to-faster-loading.html
I haven't looked at Evan's site, but I bet there are things that could be
tuned up. There always are. Just fire up the usual tools (Firebug, YSlow,
Wireshark, Burp Proxy/WebScarab) and you will usually see lots of obvious
things you can fix.
There's really no performance reason not to use HTTPS everywhere. I once
(ONCE) had a client that really did have a quantified, tested reason that
HTTPS was too slow for them, 3 years ago. A few weeks ago I did some testing
for a nearly identical application and deployment situation, and found that
HTTPS made no noticeable performance difference.
--
http://noncombatant.org/
More information about the HTTPS-everywhere
mailing list