11

I've been reading a lot of online articles and blogs about advantages of using HTTPS (HTTP over SSL/TLS) and the performance issues involved in deploying a website over HTTPS. What I understood is that the performance overhead in using HTTP over SSL/TLS is because of the use Asymmetric Cryptography in the Protocol and this overhead is highly dependent on the factors like hardware, server software, typical session length, caching behaviors of clients etc.

On the other hand, many of the recent articles like this one claim that because of improvements in capacity and performance of modern processors and their architectures, performance is no longer an issue while using HTTPS. Also, SSL certificates are no longer expensive as they used to be.

So, my question is, why are we still relying on HTTP when instead we can use HTTPS without any performance overhead on website? Is there any drawback of shifting all the communication over HTTPS?

Rahil Arora
  • 4,259
  • 2
  • 23
  • 41
  • 3
    1) Older browsers [don't support multiple domains on one IP](http://en.wikipedia.org/wiki/Server_Name_Indication) address with SSL 2) Key-management/obtaining certificates is a bit annoying. 3) Many hosters charge extra for SSL support – CodesInChaos Nov 14 '13 at 17:32
  • 1
    I debate the 'no performance cost' assertion. Having recently deployed a complex site that uses AJAX, I can tell you for a fact that SSL was a big hit when we turned it on, even with beefy servers and infrastructure. Performance can't be ruled out. – schroeder Nov 14 '13 at 20:01
  • @Gilles The post mostly talks about the performance overhead and is more than 2 years old. Also, there are many articles out there that outline the overhead as a myth considering the availability of better resources. Just wanted to make sure what other reasons can possibly prevent someone to use HTTP over HTTPS. – Rahil Arora Nov 14 '13 at 20:58
  • @RahilArora I find the accepted answer quite good (though it's missing the part about certificate cost). If you don't like it, feel free to provide your own or add a bounty — that doesn't make the question any less of a duplicate. Sure, there are many articles out there on the myth of the performance hit of HTTPS. But there are also many articles on its reality. – Gilles 'SO- stop being evil' Nov 14 '13 at 21:03
  • @Gilles That's true. Plenty of stuff out there! I even came across this conversation about backdoors left by NSA in whole SSL/TLS standards and that we should stop using it. :D Anyways, I think there's no particular answer to my question and as some of the users have mentioned, I think performance is still an issue with HTTPS. – Rahil Arora Nov 14 '13 at 22:01

2 Answers2

15

Here are a few common reasons:

  1. Certificate cost. Certificates typically are not free, and for small or otherwise less-important domains, the cost is not justified.

  2. Virtual Hosting. While technology exists to specify a hostname during SSL negotiation, that technology is not widely enough deployed. As such, SSL domains require their own unique IP/port combination for disambiguation. And there aren't enough IPs to go around.

  3. Caching. Edge-caching and content-distribution networks don't typically play well with SSL. This is more frequently true for third-party CDNs and proxy-based caching.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • To elaborate on (2): HTTPS can be done with name-based virtual hosts if both the client and server support [Server Name Indication](http://en.wikipedia.org/wiki/Server_Name_Indication). We're just waiting for IE 6 and Windows XP to die. – 200_success Nov 14 '13 at 21:00
  • @200_success Unfortunately in this case we're also going to have to wait on Android 2.x; and since new 2.x phones are reportedly still being sold in the developing world it's probably at least a few more years before obsolete systems finish aging out of the market. – Dan Is Fiddling By Firelight Nov 14 '13 at 22:11
  • @DanNeely And various non-browser implementation. The reality is that this just isn't an option unless you have a very well-understood user base. – tylerl Nov 14 '13 at 23:55
3

For a lot of sites, encryption doesn't matter.

When you're checking the news headlines or commenting on Reddit, security and privacy is really not that important to you.

Despite the claims that SSL can be done at low cost, it is certainly not zero cost - for reasons that tylerl explains very well. So it is only used on sites where it matters.

Things have changed a lot recently. Three or four years ago, sites like Gmail and Facebook only encrypted your login, not your whole session. Now they encrypt the whole session - largely because Fire Sheep demonstrated the vulnerability so powerfully.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • The thing is, maybe the privacy of what someone is looking at on various sites is important to some people. For instance, what you're googling for, etc. The problem with HTTPS is that it's not a complete privacy solution. It still reveals what server you're connecting to, and from what IP address. – Kaz Nov 14 '13 at 20:20
  • @Kaz Sure, it's down to the user to use sites that support their security and privacy needs. It's not just about whether they have HTTPS - geolocation, privacy policy and many other things matter – paj28 Nov 14 '13 at 20:58