Should you Move To HTTPS? Google Thinks So!
-
Read this, http://research.microsoft.com/pubs/170059/A comparison of SPDY and HTTP performance.pdf
The only time that http is faster is when mod_pagespeed is run and you are pipelining. Most US isp's do not support pipelining, so the only real option is using a spdy layer, hence why it was created.
I set up a lot of high traffic servers, everyone of them relies on mod_spdy to serve requests because it kills over http1.1. Most sites don't use mod_spdy, most servers do not have it set up, so that is my basis for the myth. If you look at the test results running spdy with ssl is faster than apache running http1.1, which accounts for I would guess at least 70% of all *nix machines on the net.
As for security I agree that setting up SSL certificates wrong is an issue, but that does not mean that there is an issue with using SSL. It is like if someone does not lock their door and someone breaks in the house, it was not the lock's fault. I set up ecommerce site's and boxes for a living and do quite a bit of pen testing, there are not many attacks out their where someone is on a closed non public network that will actually work in the wild. I mean some of the things you list could possibly work, but in most cases it would be easier to drive over to someone's house and torture them to get the information than to try to hack a router at a CA.
-
Uhh most servers run on Apache not crappy Microsoft server. I can tell you know more about networking though and not saying I'm 100% certain...more like 60% but I can literally see the results myself right now: I just did a test myself:
I did wget on http://www.google.com and its 0.01s seconds for http and 0.04s for https.... I didn't even modify the timing to be more specific....
[ <=> ] 19,425 --.-K/s in 0.01s
2014-08-19 22:19:44 (1.26 MB/s) - 'index.html' saved [19425]
unknownlocal-7:~ unknown_device$ wget https://www.google.com
--2014-08-19 22:19:58-- https://www.google.com/
Resolving www.google.com... 74.125.224.48, 74.125.224.49, 74.125.224.50, ...
Connecting to www.google.com|74.125.224.48|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html.2'
[ <=> ] 19,376 --.-K/s in 0.04s
2014-08-19 22:19:58 (501 KB/s) - 'index.html.3' saved [19376]
-
I totally believe that you didn't modify the timings, but you cannot use that as a test. The main reason being that one of two things could be happening. Either your isp has cached the content for the page or Google is edging with them. When you run a https request it bypasses caching and edging. So technically if you were someone like Google or Amazon, it could slow your site down. But like 90% of other people that are single location hosting a site without using edge servers all requests are leading to the same place. Plus you have to factor in network integrity. I have a site launching at the end of the week that will have about 10k users on it at any given time during the daylight hours in the US. We didn't just ramp up the load tester to 10k and call it a day, we have had the thing running since Monday non stop with 15k users on it to see the weak points in the network. We are transferring almost 2tb an hour on our AWS instances to see if the database is going to fold or not. Before we installed mod_spdy (we are only using https on checkout and contact pages) we were spawning way too many frontend instances, 9 if I remember correctly. With mod_spdy we have reduced them down to about 6 with a 7th firing up every now and then, just depending on where the wave of the load goes on the site.
-
I tested smaller sites too though, and I expected you were going to say it was the cache but keep in mind I ran the non SSL version first in that example so why in the second test RIGHT after with SSL it's slower even if it was cached. By the way even when clearing cache or testing on one of my many shell (ssh) accounts and one VPN in New York even, same results. I tried with w3m as well. I hear you, but I think it's incorrect to say that HTTPS can and usually does slow down most pages although its a very small difference.
I'm just going by experience and tests, but I'll give you the benefit of the doubt as you seem to know more about setting up networks and SSL/TLS than I do. Sorry if I seemed like a jerk, I just find your conclusion surprising.
It's actually good news for me as I'll be needing HTTPS soon for a site as I will be accepting payment. I already knew the difference is miniscule but personally I still think for most if not all servers implementing encryption is going to slow it down a little bit. The client visiting the site and the server have to go through extra steps. How could it not take longer? Even if it is a small amount, you really think HTTPS is identical in speed to HTTP (if setup correctly on a LAMP (Linux Apache MYSQL PHP) server. There are more calculations going on. Encryption/Decryption takes time...even if its done well...its like pure math. I am a total idiot (no sarcasm) and I can't fathom how you think its a myth....
-
I guess the main question about your other tests is did you check to see if the server was utilizing mod_spdy? That is what my whole argument centers around. Serving https up without it is way slower, I realize that. But if the server is running mod_spdy and the browser supports it, it will be just as fast. Just as a point of reference cUrl and no linux only browsers support spdy. Only the main stream chrome, ff, IE, safari, and the kindle browser support it.
I think you are missing the point a little bit. Say you get shared hosting at any provider that I can think of, or say you get a vps, or even a dedicated server. 9 times out of 10 what you are getting is a machine running either WHM or Plesk that is running php 5.4, apache 2.2 and mod_php, and current version mysql. You are getting a slow set up basically. I have dealt with dozens of hosting companies in the last 6 months and I cannot tell you one that has set up mod_spdy on a default deployment. It just has not made it in the standard yet, it is like mod_pagespeed, they rely on you to set it up. With a setup like that, yes, https requests are going to be slower, there is no doubt in that. BUT, that is not what I am talking about running on. Set the machine up running php 5.4, use an apc caching layer, fcgi as an interpreter and install mod_spdy (I don't use mod_pagespeed, I optimize from the start) the same machine can quadruple the requests it was taking before.
I don't know how familiar you are with how http or spdy works, but here is a brief overview. On a server without spdy enabled when you request a page, the browser will make a connection (establish an insecure handshake) and the server will deliver the page. As the page is loading the browser will scan it for resources that it needs to load, then it will start creating a handshake for each resource and then start downloading it. The browser has a max of 8 channels that it can download at once. So if your page has 5 css files, 8 js files, and 30 images, it can only download 8 of those files at once, it creates a que. When one finishes, the next starts. Where all of your time is really ate up is the handshake for each resource.
With spdy the way it gets around this is there is only one handshake (for either ssl or http) in that handshake it sends all of the resources at once. When your browser scans down the page and starts asking for resources no que is created, they are all sent as soon as they are asked for. That is how it is faster, it reduces connections, think of it as a super keep-alive.
-
Really technical in here lol.
Just wanted to say I could see why they would do it, but it's kind of silly to run out and grab one. Most server and site security can be locked down from the server side if you have your own root account. My guess is that they partnered with someone who sells ssl certificates, and is now saying this to strengthen that alliance or help them make money. I could see this being worth the time and effort if you took sensitive information, but to dangle a carrot saying "we will rank you higher if you use an ssl on your roofing/plumber/seo/etc" website is just silly.
I'm all for security and protecting people's information, dont get me wrong, but it seems like another attempt to control things.
-
Close, but look at Googles certificate, http://i.imgur.com/Lw1rlH4.png They are actually a CA now after the issues they had with their certificates before. I think they became a CA when they rolled out the tougher encryption. Soon, I imagine they will start selling them to the public like they do with domain names.
-
So Google's SSL was sold to Google by Google? Makes perfect sense lol. "We will rank you higher if you use an SSL. By the way, have you noticed our lovely selection of SSL's?"
-
Agreed EGOL.
I think I will sit on this one for a bit.
If starting a new site from scratch I would definitely start with a certificate and make the site https from inception.
I just see this as being a huge pain in the butt for most people to set up on already established sites, especially since 95% of website owners are small businesses owners. They don't know how to pull something like this off without some serious time and/or money investment by someone who knows a fair amount about the back end of websites, which I personally don't.
I am a marketer and not a programmer and most business owners are not programmers. Only a small amount of marketers would actually see the value in a switch to https unless they have a shopping cart setup.
-
If they are going to sell them to everyone they are going to have to make them simple to implement.
For Example:
Buy one > insert URL > All redirection is taken place for you > Done!
End of Story.
I am not going to beat my head against the wall and check every one of my pages all the time to make sure they are all working correctly, indexed correctly etc etc. I already have enough stuff to do without babysitting all my sites pages more than I already do.
-
I think that is the exact opposite of how security works. But once installed and the site is properly configured you should never have an issue with anything. I just wish more were renewable instead of having to get re-issued.
-
Agreed. Re-issuing is a pain in the ass. Although I agree that HTTPS is a good thing, I do think that it's overkill for a lot of smaller sites and sites that only provide non-sensitive information to the public. Google is using it as a "lightweight" indicator right now but chances are they'll put more weight into it over time. Perhaps SSL will be a growth industry with Google putting its weight behind it.
-
for best practice, you should keep your website with HTTPS, I have done this practice for my blog, and it's working well.
-
02162
-
27212
-
02383
-
043.9k
-
0614.4k
-
07275
-
02521
-
071.2k