A Simple Performance Comparison of HTTPS, SPDY and HTTP/2

calendarJanuary 16, 2015 in Firefox , HTTP/2 , HTTPS , HttpWatch , SPDY , SSL

Firefox 35 was released this week and became the first browser to enable support for the HTTP/2 protocol by default.

The HTTP/2 specification has not been finalised so Firefox actually enabled the Draft 14 version of HTTP/2 but little is expected to change in the final draft. Google is now supporting HTTP/2 draft 14 on its web servers alongside the SPDY protocol giving us a chance to compare the performance of raw HTTPS, SPDY and HTTP/2 on the same web page.

We also updated HttpWatch this week so that it supports HTTP/2 within Firefox. It has new columns to display information about the protocols being used by each request:

New HTTP/2 Columns

The Performance Comparison

The performance test used HttpWatch with Firefox to run a series of simple page load tests against the Google UK home page using the three protocols:

  • Raw HTTPS
  • SPDY/3.1
  • HTTP/2

We switched between the protocols by enabling and disabling the following entries in Firefox’s about:config page:

Controlling FIrefox Protocol Support

Each test was performed in a fresh instance of Firefox with an empty browser cache. Although this testing was simplistic and only used a simple page it does highlight some important differences between the protocols.

Test #1 – Size of Request and Response Headers

Most sites already use compression when downloading textual content as it provides a significant performance benefit. Unfortunately, HTTP/1.1 doesn’t support the compression of HTTP headers that are attached to every HTTP request and response. SPDY and subsequently HTTP/2 were designed to address this shortcoming using different types of compression.

SPDY uses the general purpose DEFLATE algorithm whereas HTTP/2 uses HPACK that was specifically designed to compress headers. It uses predefined tokens, dynamic tables and Huffman compression.

It’s possible to see the difference in the generated header sizes by looking at a request that has no content. On the Google UK home page there is beacon request that returns no content (a 204 response). These screen shots from HttpWatch show the size of the request headers in the ‘Sent’ column and the size of the response headers in the ‘Received’ column:

HTTPS header sizesSPDY header sizes

HTTP/2 header sizes


HTTP/2 has significantly smaller header sizes due to its use of the HPACK algorithm.

Test #2: Size of Response Message

The response message from the server is made up of the response headers and the encoded response content. Given the fact that HTTP/2 creates the smallest headers shouldn’t it always have the smallest response message?

In HttpWatch this seems to be the case for image resources:

HTTPS Image Response Size SPDY Image Response SizeHTTP/2 Image Response Size

However, for textual resources SPDY consistently has smaller response messages even though its headers would be larger than HTTP/2:

HTTPS Text Response Size SPDY Text Response Size HTTP/2 Text Response Size

The reason for this is the optional padding bytes that can be added to the HTTP/2 DATA frame. HttpWatch doesn’t currently show the padding but in our debug logs we can see that the Google servers add padding to the data frames of textual resources. The reason given in the HTTP/2 spec for using padding is:

Padding can be used to obscure the exact size of frame content, and is provided to mitigate specific attacks within HTTP. For example, attacks where compressed content includes both attacker-controlled plaintext and secret data (see for example, [BREACH]).

Padding isn’t used for image resources because they already have a compressed format that will not contain attacker controlled plain text.


The larger response bodies seen on the Google servers are due to the use of padding in data frames. Although, HTTP/2 produces larger responses than SPDY its encrypted connections could potentially be more secure. This may be an area where tuning can be performed in a trade off between security and performance.

Test #3 : Number of TCP Connects and SSL Handshakes Required During Page Load

Browsers achieved a performance boost in HTTP/1.1 by increasing the maximum number of connections per host name from two to six or more. This allowed greater concurrency during the download of a page at the cost of extra TCP connections and SSL handshakes . Increasing concurrency allows the bandwidth of the network to be used more effectively because it reduces the blocking of requests.

SPDY and HTTP/2 support concurrency on a single TCP and SSL connection by using multiplexing to allow more than one request at a time to send and receive data on a single connection.

By adding the ‘Connect’ and ‘SSL Handshake’ timings as a columns in HttpWatch you can see that SPDY:

SPDY Connections

And HTTP/2:

HTTP/2 Connections

Only create connections for different host names. Whereas, raw HTTPS may create more than one connection per host name to improve concurrency:

HTTPS Connections


The multiplexing support added in SPDY and HTTP/2 reduces the number of connections that have to be setup to download a page. As a side benefit web servers will not have to maintain as many active TCP connections when HTTP/2 usage becomes more widespread.

Test #4: Page Load Time

The ‘Page Load’ event in HttpWatch shows when the page was fully downloaded and available for use. In most cases this a reasonable measure of the speed of the page as seen by a visitor to a web site.

The screeen shots below show the Page Load time for each of the three protocols:HTTPS Page Load

SPDY Page Load HTTP/2 Page Load


The Page Load timing was worse for raw HTTPS probably due to the lack of header compression and the additional TCP connections and SSL Handshakes required. For more complex pages the speed advantage of SPDY and HTTP/2 should be even greater.

We also found that HTTP/2 was consistently faster than SPDY even though its response messages were often larger. The advantage was probably due to the smaller GET request messages produced by HPACK compression. Our network connection to the internet, like many others, is asymmetric in nature – the network upload speed is less than the download speed. This means that any saving in uploaded data has much more impact than the equivalent saving in downloaded data.


HTTP/2 is likely to provide significant performance advantages compared to raw HTTPS and even SPDY. However the use of padding in response messages is an area of potential concern where there could be a trade-off between performance and security.

Beware: Your Cloud Server May Have Some IP Related Baggage

calendarMay 22, 2014 in HttpWatch , IIS

Cloud based servers are great. You can quickly fire up new instances to scale up a web site or just to make deployment easier.

However, your new cloud server may not be as clean and new as you expect. The problem is that IPv4 addresses are in short supply and your cloud server provider will maintain a pool of addresses that get recycled when a cloud server is destroyed. So when you create a new cloud server, the IP address assigned to it may have some baggage from its previous owner.

We ran into this when we deployed a major update of our site to a new server. Not long after deployment we got a Google Alert about the presence of HttpWatch related content at site with a strange domain name – let’s say malwarecentral.com. The weird thing was that this site was an exact replica of our site:

Strange Domain

The site must have had a high page rank in Google, perhaps through dubious SEO techniques. If we searched for ‘HttpWatch’ the site appeared as one of the first search results:

Google Results

Using HttpWatch we checked the IP address used by the site and found that it was the same as our latest cloud server:

IP Address

It wasn’t a copy of our site it was an existing DNS entry that was pointing at the same IP address as our server.

How could this have happened? The scenario may have gone something like this:

  1. A stolen credit card was used to register a domain name (e.g. malwarecentral.com) and setup an account at the cloud server provider.
  2. A DNS entry for the domain was setup for the new cloud server
  3. The cloud server may have been used for phishing, malware distribution or some other questionable activity
  4. The cloud server provider gets a chargeback on the credit card used to setup the account. The account is shutdown and all cloud servers related to that account are destroyed.
  5. The IP address of the server is returned to the provider’s pool of IPV4 addresses. The DNS entry for malwarecentral.com may have been created at another provider and was not deleted.
  6. We happened to get this IP address when we created a new cloud server and the DNS entry for malwarecentral.com was still using this IP address.

Tip: Never Use Default Binding For Your Web Site

A simple way to avoid old DNS entries referring to your site is to remove the default binding that allows any hostname to be used. In IIS the entry looks like this:

IIS Bindings

Once it is removed only requests containing the hostnames that you specify will be able to load pages.


There may be other consequences to reusing an IP address on your cloud server. It may have been black listed by email systems if it was sending spam and it could be blocked from other web sites or services if it was engaged in Denial Of Service (DOS) attacks or hacking attempts.

This problem doesn’t exist with IPv6 because it has such a large address space that the cloud server provider could create a new address for every server instance without ever having to reuse addresses from deleted servers. However, in today’s world where IPv4 dominates it’s worth remembering that your cloud server’s IP address may come with some baggage.


HttpWatch Goes 64-bit and Supports EPM on Windows 8

calendarApril 3, 2014 in HttpWatch , Internet Explorer

The latest update to HttpWatch is available for download and adds the features list below:

Full 64-bit and Enhanced Protected Mode Support

HttpWatch can now be used in 64-bit versions of IE and fully supports Enhanced Protected Mode (EPM) on Windows 8 and 8.1:

HttpWatch Supports 64-bit IE

Improved Performance on Windows 64-bit

The automation interface is now available in 64-bit, as well as 32-bit, providing improved performance in 64-bit automation clients.

HttpWatch also includes a 64-bit version of the HttpWatch Studio log file viewer that can load larger files and filter data more quickly.

Property Pane Displays User Name, Browser Mode and Windows Architecture

The Properties pane now displays the browser mode (e.g. EPM), user name and Windows architecture (e.g. x86 or x64):

New Values on Properties Pane

New Fields for CSV Output

New Page ID, Device Name and User Name fields are available in the CSV output:

New CSV Fields

Ready to get started? TRY FOR FREE Buy Now