The Performance Implications Of Web Security

Securing your connection

Over the past few years all of the browser vendors have substantially enhanced the surety of their product and with it the security of the internet.  This has led to a much wider adoption of the encrypted hypertext transport protocol HTTPS, and browser will now mark websites as ‘not secure’, especially when a form, for example a login or credit card details, is requested. 

Specifically, pages that included forms where login credentials or credit card details could be entered would be labelled as not secure. 

This approach makes perfect sense and has long been part of Google’s intentions, and eventually, we can expect to see all non HTTPS, (HTTP), pages flagged as insecure.

For now though, websites that haven’t yet upgraded to HTTPS from HTTP and the site contains an input form, such as a search box at the top of every page, will see warnings triggered for all the pages on its site. 

However, while this type of protection does not have a performance implication, there are many other security initiatives that you should be aware of and how they can impact on the delivery performance of web pages, and with it customer experience.

This article takes a look at some of the security measures and their potential performance impact as a precursor to later articles that cover each of the technologies in greater depth.

HTTPS protocol displayed in the browser
HTTPS protocol displayed in the browser

Performance Impact

Other things being equal, an HTTPS website will be almost inevitably be slower than its less secure counterpart, thanks to the extra round-trips required for the TLS (Transport Layer Security) handshake that makes HTTP secure.  While this may only amount to a maximum of a less than a hundred milliseconds, human interaction could perceive that the website is slower. What’s more, this effect will be more noticeable on high-latency mobile networks.

Fortunately, there are plenty of ways to make TLS fast. Here are a few:

OCSP Stapling

OCSP stands for Online Certificate Status Protocol. This is a way to ensure that a site’s TLS certificate is valid. The client does completes this task by querying the certificate with the certifying authority. However, this is far from ideal, as it means the client has to retrieve information from a third-party before it can even start getting content from the website.

OCSP stapling works around this delay by passing responsibility for certificate verification from the client, on each webpage request, to the server.  Instead of the client having to do the look-up when it accesses the site, the server will carry out the look-up from time to time to verify the status of the certificate with the authority and will then store, or ‘staple’ the certificate on the webserver.  This enables the client request to be verified by the web server and as such negates the extra TLS handshake protocol and the time it would normally take to execute.  

TLS Session Resumption

TLS session resumption works by storing information about a TLS connection that’s already been established. This allows a client to reconnect to a host with an abbreviated TLS handshake, cutting the time it takes to make the connection.  Consequently, should the client request a second resource from the web server it will no longer need to request certificate authorisation a second time.

HSTS

HSTS stands for HTTP Strict Transport Security and it is designed as an important security enhancement to help prevent man-in-the-middle attacks on the HTTP stream.   This function comes with a knock-on benefit for web performance.

Essentially, HSTS means telling the browser or user agent that it should only ever access your website over HTTPS. This saves a costly redirect to use the HTTPS protocol when a visitor to your website requests the HTTP version. 

To implement HSTS the ability for the server issues a response header to the browser or user agent’s first call enforces connection over HTTPS and disregards any other request, such as via a script, to load over HTTP.  Although this has the disadvantage of only working after the first visit someone makes to your site. 

HTTP/2

HTTP/2, now more commonly known simply as H2, offers a range of performance enhancements that complements the improvements in security.    A pre-requisite for H2 is HTTPS which enforces a high security regime for the fastest HTTP protocol. 

As H2 implements multiple requests and responses to be multiplexed over a single connection, the risk that one slow-loading asset will block other resources is reduced.  Response Headers are also compressed, reducing the size of both requests and responses. 

Other features, such as server push, are evolving, but should offer even more performance benefits.

A More Secure Future

As we are edging ever closer to an HTTPS-only web, delivering greater privacy and better security for all web users, browser vendors seem intent on accelerating the pace of change so an understanding of how security impacts on web performance can help you prepare to ensure customer experience is not impacted. 

Author: Philip Vandenberg

Philip Vandenberg is a specialist in web performance, performance load testing, a practitioner of IT best practices and the management of internet services. In a career spanning many years he has helped companies implement digital technologies and websites across the world.