HTTPS Performance Tuning

calendarJanuary 15, 2009 in Caching , Firefox , HTTP , HTTPS , HttpWatch , Internet Explorer , Optimization

An often overlooked aspect of web performance tuning is the effect of using the HTTPS protocol to create a secure web site. As applications move from the desktop onto the web, the need for security and privacy means that HTTPS is now heavily used by web sites that need to be responsive enough for every day use.

The tips shown below may help you to avoid some of the common performance and development problems encountered on sites using HTTPS:

Tip #1: Use Keep-Alive Connections

Whenever a browser accesses a web site it must create one or more TCP connections. That can be in lengthy operation even with normal unsecured HTTP.  The use of Keep-Alive connections reduces this overhead by reusing TCP connections for multiple HTTP requests. The screen shot below from HttpWatch shows the TCP connection time over HTTP is approximately 130 milliseconds for our web site when it is accessed from the UK:

Using HTTPS, the lack of Keep-Alive connections can lead to an even larger degradation in performance because an SSL connection also has to be setup once the TCP connection has been made. This requires several roundtrips between the browser and web server to allow them to agree on an encryption key (often referred to as the SSL session key) . The corresponding connection time to the same server using HTTPS is nearly four times longer as it includes the HTTPS overhead:

If a HTTPS connection is re-used the overhead of the both the TCP connection and SSL handshake are avoided.

Some web browsers and servers now allow the re-use of these SSL session keys across connections, but you may not always have control over the web server configuration or the type of browser used.

Tip #2: Avoid Mixed Content Warnings

In a previous blog post we talked about the confusing and annoying dialog that is displayed by default if a secure page uses any HTTP resources:

To stop this warning dialog interrupting the page download you need to ensure that everything on the page is accessed over HTTPS. It doesn’t have to be from the same site but it must use HTTPS. For example, the addition of HTTPS support allows the Google Ajax libraries to be safely loaded from secure pages.

Tip #3: Use Persistent Caching For Static Content

If you follow Tip #2 then everything that your page needs, including images, CSS and Javascript, will be accessed over HTTPS. You would normally want to persistently cache static content like this for as long as possible to reduce load on the web site and improve performance when a user revisits your site.

Of course, you wouldn’t want to cache anything on the disk that was specific to the user (e.g. HTML page with account details or a pie chart of their monthly spending). On most pages though, nearly all of the non-HTML content can be safely stored, shared and re-used.

There seems to be some confusion over whether caching is possible with HTTPS. For example, Google say this about Gmail over HTTPS:

You may find that Gmail is considerably slower over the HTTPS connection, because browsers do not cache these pages and must reload the code that makes Gmail work each time you change screens.

Although, 37Signals acknowledge that in-memory caching is possible, they say that persistent caching is not possible:

The problem is that browsers don’t like caching SSL content. So when you have an image or a style sheet on SSL, it’ll generally only be kept in memory and may even be scrubbed from there if the user is low on RAM (though you can kinda get around that).

Even when you do your best to limit the number of style sheets and javascript files and gzip them for delivery, it’s still mighty inefficient and slow to serve them over SSL every single time the user comes back to your site. Even when nothing changed. HTTP caching was supposed to help you with that, but over SSL it’s almost all for naught.

In reality, persistent caching is possible with HTTPS using both IE and Firefox.

Using HttpWatch you can see if content is loaded from the cache by looking for (Cache) in the Result column or by looking for the blue Cache Read block in the time chart. Here is an example of visiting https://www.httpwatch.com with a primed cache in IE. You can see that all the static resources are reloaded directly from the cache without a round trip to the web server:

If you try this in Firefox 3.0 without adjusting your response headers you will see this instead:

The ‘200’ values in the Result column indicate that the static content is being reloaded even though the site was previously visited and a valid Expires setting was used. Unless you specify otherwise, Firefox will put HTTPS resources into the in-memory cache so that they can only be re-used within a browser session. When Firefox closes the contents of the in-memory cache is lost.

The about:cache page in Firefox confirms that these files are stored using the in-memory cache:

To allow persistent caching of secure content in Firefox you need to set the Cache-Control response header to Public:

This value moves HTTPS based content into the persistent Firefox disk cache and in the case of https://www.httpwatch.com it more than halves the page load time due to the decrease in network round trips and TCP/SSL connections:

The Public cache setting is normally used to indicate that the content is not per user and can be safely stored in shared caches such as HTTP proxies. With HTTPS this is meaningless as proxies are unable to see the contents of HTTPS requests. So Firefox cleverly uses this header to control whether the content is stored persistently to the disk.

This feature was only added in Firefox version 3.0 so it won’t work with older versions. Fortunately, the take up version 3.0 is reported to be much faster than IE 6 to 7.

Tip #4: Use an HTTPS Aware Sniffer

A network sniffer is an invaluable tool for optimizing and debugging any client server application. But if you use a network level tool like Netmon or WireShark you cannot view HTTPS requests without access to the private key that the web site uses to encrypt SSL connections.

Often organizations will not allow the use of private keys outside of a production environment, and even if you have administrative access to your web site, getting the private key and using it to decrypt network traffic is not an easy task.

HttpWatch was originally born out of the frustration of trying to debug secure sites. Viewing HTTPS traffic in HttpWatch is easy as it integrates directly with IE or Firefox, and therefore has access to the unencrypted version of the data that is transmitted over HTTPS.

The free Basic Edition shows high level data and performance time charts for any site, and lower level data for a number of well know sites including Amazon.com, eBay.com, Google.com and HttpWatch.com . For example, you can try it with HTTPS by going to https://www.httpwatch.com .

EDIT: This post was updated to show that persistent caching of HTTPS based content is only available in Firefox version 3.0 onwards.

21 thoughts on “HTTPS Performance Tuning

  1. Tip #3 is key. Thanks for highlighting the need for “Cache-Control: public”. Note, however, that this doesn’t make https caching possible in Firefox 2. It’s possible that the statements from GMail and 37Signals were based on FF2, since FF3 is more recent.

  2. Steve, thanks for pointing out the issue with FF2.

    The blog post has been updated to show that you need FF3 or later to get the benefit of ‘Cache-Control: public’.

  3. Great post – there’s a lot of misinformation on caching static content over SSL. For clarification, does this work for IE6 as well, or does this just address IE7+?

    On a related note, I noticed on a recent project that FF3.5 seems to do some caching even without Cache-Control: Public. We did have E-tags enabled though, so until I do some further research I’m assuming they were responsible. Presumably it was cached in memory too (hopefully), given it was still SSL…

  4. kim michaels says:

    great article.
    is there anyway tho to prevent static content being retrieved again as a user transitions from http to https on my site or ultimately is a file requested over https seen as a different file than the same file requested over http no matter what http-headers are set ?

    thanks

  5. Kim,

    Cached objects are indexed by URL so they are treated as being different over HTTPS.

    You could consider serving resources such as images over HTTPS on your HTTP pages. You won’t get any security warnings and the objects will be in the cache when you switch to HTTPS. The additional overhead of using HTTPS for those resources initially may not be significant.

  6. Carlos Zamora says:

    Nice article.

    A related question, when using https with more than one domain (think CDN) and when the cache is primed, I have noticed that the first request of every domain gets fetched. Does anybody know why this happends?

  7. Read your article – agree with everything you said – but how do you solve the problem of SSL close notify alerts on Microsoft clients (e.g. http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49 – but IME both Cisco and F5 recommend disabling keep-alive on SSL for MS clients for this reason)

  8. Hi All, just curious if you could break out the SSL handshake time as this is something that is more and more of an issue with load balancers off loading the SSL processing from the actual server. In our case it is on an F% and the application folks don’t have access. We have resorted to running cURL to get this info. It would be a lot more convenient were it in the HTTPWatch output.

  9. Buddy,

    Yes, it may be possible to do that and it would improve the time chart as it is currently lumped into the TCP connect time.

  10. ChrisLamont says:

    How does my choice of SSL Certificate affect this? Also can I use many different DNS Names to encourage faster downloads of static content?

    This blog posting, and my question is available here in more detail:
    http://stackoverflow.com/questions/7621393/what-configurations-cause-parallel-https-requests-to-be-slow/7621517#7621517

  11. Pingback: Quora

Got Something to Say?

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Ready to get started? TRY FOR FREE Buy Now