High Performance, Low Cost, and Strong Security: Pick Any Three

HTTPS is a baseline prerequisite for a secure web application. By measuring bytes on the wire and microseconds elapsed, we can see the exact performance effect of HTTPS vs HTTP. In doing so, we may discover that optimizing other aspects of the application improves latency and throughput more than turning off HTTPS does. We present free tools to help you measure your application.

Many factors affect objective and subjective site performance, including:

• the size and number of media elements on a page
• the number of distinct hosts media elements are served from
• back-end efficiency (database connections used, amount of data retrieved from database)
• web server configuration (pipelining? TLS session resumption? HTTP 1.1 keepalive? et c.)
• efficiency/complexity of client-side JavaScript code (especially for complex AJAX applications)

The cost of TLS/SSL is often misunderstood:

• by using HTTP 1.1, we can transfer multiple media elements over the same connection, amortizing the setup cost of TLS
• by using SSL session resumption, we can amortize the cost of the public key operations
• whatever the cost of symmetric cryptography, it’s half what it was 18 months ago…

Optimizing these other factors can save you money, improve the user experience, and make the use of HTTPS the least of your performance concerns—in turn, enabling application security. Measurement allows us to identify performance problems, helping us provide a safe and responsive experience for our users.