The performance impact
Other things being equal, an HTTPS website will be almost inevitably be slower than its less secure counterpart, thanks to the extra round-trips required for the TLS (Transport Layer Security) handshake that makes HTTP secure. While this may only amount to a less than a hundred milliseconds, human interaction could perceive that the website is slower. What's more, this effect will be more noticeable on high-latency mobile networks.
Fortunately, there are plenty of ways to make TLS fast. Here are a few:
OCSP stands for Online Certificate Status Protocol. This is a way to ensure that a site's TLS certificate is valid. The client does completes this task by querying the certificate with the certifying authority. However, this is far from ideal, as it means the client has to retrieve information from a third-party before it can even start getting content from the website.
OCSP stapling works around this delay by passing responsibility for certificate verification from the client, on each webpage request, to the server. Instead of the client having to do the look-up when it accesses the site, the server will carry out the look-up from time to time to verify the status of the certificate with the authority and will then store, or ‘staple' the certificate on the webserver. This enables the client request to be verified by the web server and as such negates the extra TLS handshake protocol and the time it would normally take to execute.
TLS session resumption
TLS session resumption works by storing information about a TLS connection that's already been established. This allows a client to reconnect to a host with an abbreviated TLS handshake, cutting the time it takes to make the connection. Consequently, should the client request a second resource from the web server it will no longer need to request certificate authorisation a second time.
HSTS stands for HTTP Strict Transport Security and it is designed as an important security enhancement to help prevent man-in-the-middle attacks on the HTTP stream.
This function comes with a knock-on benefit for web performance.
Essentially, HSTS means telling the browser or user agent that it should only ever access your website over HTTPS. This saves a costly redirect to use the HTTPS protocol when a visitor to your website requests the HTTP version.
To implement HSTS the ability for the server issues a response header to the browser or user agent's first call enforces connection over HTTPS and disregards any other request, such as via a script, to load over HTTP. Although this has the disadvantage of only working after the first visit someone makes to your site.
HTTP/2, now more commonly known simply as H2, offers a range of performance enhancements that complements the improvements in security.
A pre-requisite for H2 is HTTPS which enforces a high security regime for the fastest HTTP protocol.
As H2 implements multiple requests and responses to be multiplexed over a single connection, the risk that one slow-loading asset will block other resources is reduced.
Response Headers are also compressed, reducing the size of both requests and responses.
Other features, such as server push, are evolving, but should offer even more performance benefits.
A more secure future
As we are edging ever closer to an HTTPS-only web, delivering greater privacy and better security for all web users, browser vendors seem intent on accelerating the pace of change so an understanding of how security impacts on web performance can help you prepare to ensure customer experience is not impacted.