Should you Move To HTTPS? Google Thinks So!
-
I tested smaller sites too though, and I expected you were going to say it was the cache but keep in mind I ran the non SSL version first in that example so why in the second test RIGHT after with SSL it's slower even if it was cached. By the way even when clearing cache or testing on one of my many shell (ssh) accounts and one VPN in New York even, same results. I tried with w3m as well. I hear you, but I think it's incorrect to say that HTTPS can and usually does slow down most pages although its a very small difference.
I'm just going by experience and tests, but I'll give you the benefit of the doubt as you seem to know more about setting up networks and SSL/TLS than I do. Sorry if I seemed like a jerk, I just find your conclusion surprising.
It's actually good news for me as I'll be needing HTTPS soon for a site as I will be accepting payment. I already knew the difference is miniscule but personally I still think for most if not all servers implementing encryption is going to slow it down a little bit. The client visiting the site and the server have to go through extra steps. How could it not take longer? Even if it is a small amount, you really think HTTPS is identical in speed to HTTP (if setup correctly on a LAMP (Linux Apache MYSQL PHP) server. There are more calculations going on. Encryption/Decryption takes time...even if its done well...its like pure math. I am a total idiot (no sarcasm) and I can't fathom how you think its a myth....
-
I guess the main question about your other tests is did you check to see if the server was utilizing mod_spdy? That is what my whole argument centers around. Serving https up without it is way slower, I realize that. But if the server is running mod_spdy and the browser supports it, it will be just as fast. Just as a point of reference cUrl and no linux only browsers support spdy. Only the main stream chrome, ff, IE, safari, and the kindle browser support it.
I think you are missing the point a little bit. Say you get shared hosting at any provider that I can think of, or say you get a vps, or even a dedicated server. 9 times out of 10 what you are getting is a machine running either WHM or Plesk that is running php 5.4, apache 2.2 and mod_php, and current version mysql. You are getting a slow set up basically. I have dealt with dozens of hosting companies in the last 6 months and I cannot tell you one that has set up mod_spdy on a default deployment. It just has not made it in the standard yet, it is like mod_pagespeed, they rely on you to set it up. With a setup like that, yes, https requests are going to be slower, there is no doubt in that. BUT, that is not what I am talking about running on. Set the machine up running php 5.4, use an apc caching layer, fcgi as an interpreter and install mod_spdy (I don't use mod_pagespeed, I optimize from the start) the same machine can quadruple the requests it was taking before.
I don't know how familiar you are with how http or spdy works, but here is a brief overview. On a server without spdy enabled when you request a page, the browser will make a connection (establish an insecure handshake) and the server will deliver the page. As the page is loading the browser will scan it for resources that it needs to load, then it will start creating a handshake for each resource and then start downloading it. The browser has a max of 8 channels that it can download at once. So if your page has 5 css files, 8 js files, and 30 images, it can only download 8 of those files at once, it creates a que. When one finishes, the next starts. Where all of your time is really ate up is the handshake for each resource.
With spdy the way it gets around this is there is only one handshake (for either ssl or http) in that handshake it sends all of the resources at once. When your browser scans down the page and starts asking for resources no que is created, they are all sent as soon as they are asked for. That is how it is faster, it reduces connections, think of it as a super keep-alive.
-
Really technical in here lol.
Just wanted to say I could see why they would do it, but it's kind of silly to run out and grab one. Most server and site security can be locked down from the server side if you have your own root account. My guess is that they partnered with someone who sells ssl certificates, and is now saying this to strengthen that alliance or help them make money. I could see this being worth the time and effort if you took sensitive information, but to dangle a carrot saying "we will rank you higher if you use an ssl on your roofing/plumber/seo/etc" website is just silly.
I'm all for security and protecting people's information, dont get me wrong, but it seems like another attempt to control things.
-
Close, but look at Googles certificate, http://i.imgur.com/Lw1rlH4.png They are actually a CA now after the issues they had with their certificates before. I think they became a CA when they rolled out the tougher encryption. Soon, I imagine they will start selling them to the public like they do with domain names.
-
So Google's SSL was sold to Google by Google? Makes perfect sense lol. "We will rank you higher if you use an SSL. By the way, have you noticed our lovely selection of SSL's?"
-
Agreed EGOL.
I think I will sit on this one for a bit.
If starting a new site from scratch I would definitely start with a certificate and make the site https from inception.
I just see this as being a huge pain in the butt for most people to set up on already established sites, especially since 95% of website owners are small businesses owners. They don't know how to pull something like this off without some serious time and/or money investment by someone who knows a fair amount about the back end of websites, which I personally don't.
I am a marketer and not a programmer and most business owners are not programmers. Only a small amount of marketers would actually see the value in a switch to https unless they have a shopping cart setup.
-
If they are going to sell them to everyone they are going to have to make them simple to implement.
For Example:
Buy one > insert URL > All redirection is taken place for you > Done!
End of Story.
I am not going to beat my head against the wall and check every one of my pages all the time to make sure they are all working correctly, indexed correctly etc etc. I already have enough stuff to do without babysitting all my sites pages more than I already do.
-
I think that is the exact opposite of how security works. But once installed and the site is properly configured you should never have an issue with anything. I just wish more were renewable instead of having to get re-issued.
-
Agreed. Re-issuing is a pain in the ass. Although I agree that HTTPS is a good thing, I do think that it's overkill for a lot of smaller sites and sites that only provide non-sensitive information to the public. Google is using it as a "lightweight" indicator right now but chances are they'll put more weight into it over time. Perhaps SSL will be a growth industry with Google putting its weight behind it.
-
for best practice, you should keep your website with HTTPS, I have done this practice for my blog, and it's working well.
-
07877
-
032.4k
-
02475
-
041.1k
-
0614.4k
-
07275
-
07892
-
02521