HTTP vs HTTPS performance

Question

Are there any major differences in performance between http and https? I seem to recall reading that HTTPS can be a fifth as fast as HTTP. Is this valid with the current g

Answer 1

HTTPS requires an initial handshake which can be very slow. The actual amount of data transferred as part of the handshake isn't huge (under 5 kB typically), but for very small requests, this can be quite a bit of overhead. However, once the handshake is done, a very fast form of symmetric encryption is used, so the overhead there is minimal. Bottom line: making lots of short requests over HTTPS will be quite a bit slower than HTTP, but if you transfer a lot of data in a single request, the difference will be insignificant.

However, keepalive is the default behaviour in HTTP/1.1, so you will do a single handshake and then lots of requests over the same connection. This makes a significant difference for HTTPS. You should probably profile your site (as others have suggested) to make sure, but I suspect that the performance difference will not be noticeable.

Answer 2

Browsers can accept HTTP/1.1 protocol with either HTTP or HTTPS, yet browsers can only handle HTTP/2.0 protocol with HTTPS. The protocol differences from HTTP/1.1 to HTTP/2.0 make HTTP/2.0, on average, 4-5 times faster than HTTP/1.1. Also, of sites that implement HTTPS, most do so over the HTTP/2.0 protocol. Therefore, HTTPS is almost always going to be faster than HTTP simply due to the different protocol it generally uses. However, if HTTP over HTTP/1.1 is compared with HTTPS over HTTP/1.1, then HTTP is slightly faster, on average, than HTTPS.

Here are some comparisons I ran using Chrome (Ver. 64):

HTTPS over HTTP/1.1:

• 0.47 seconds average page load time
• 0.05 seconds slower than HTTP over HTTP/1.1
• 0.37 seconds slower than HTTPS over HTTP/2.0

HTTP over HTTP/1.1

• 0.42 seconds average page load time
• 0.05 seconds faster than HTTPS over HTTP/1.1
• 0.32 seconds slower than HTTPS over HTTP/2.0

HTTPS over HTTP/2.0

• 0.10 seconds average load time
• 0.32 seconds faster than HTTP over HTTP/1.1
• 0.37 seconds faster than HTTPS over HTTPS/1.1

Answer 3

In addition to everything mentioned so far, please keep in mind that some (all?) web browsers do not store cached content obtained over HTTPS on the local hard-drive for security reasons. This means that from the user's perspective pages with plenty of static content will appear to load slower after the browser is restarted, and from your server's perspective the volume of requests for static content over HTTPS will be higher than would have been over HTTP.

Answer 4

There is a way to measure this. The tool from apache called jmeter will measure throughput. If you set up a large sampling of your service with jmeter, in a controlled environment, with and without SSL, you should get an accurate comparison of the relative cost. I would be interested in your results.

Answer 5

December 2014 Update

You can easily test the difference between HTTP and HTTPS performance in your own browser using the HTTP vs HTTPS Test website by AnthumChris: “This page measures its load time over unsecure HTTP and encrypted HTTPS connections. Both pages load 360 unique, non-cached images (2.04 MB total).”

The results may surprise you.

It's important to have an up to date knowledge about the HTTPS performance because the Let’s Encrypt Certificate Authority will start issuing free, automated, and open SSL certificates in Summer 2015, thanks to Mozilla, Akamai, Cisco, Electronic Frontier Foundation and IdenTrust.

June 2015 Update

Updates on Let’s Encrypt - Arriving September 2015:

• Let's Encrypt Launch Schedule (Jun 16, 2015)
• Let's Encrypt Root and Intermediate Certificates (Jun 4, 2015)
• Draft Let's Encrypt Subscriber Agreement (May 21, 2015)

More info on Twitter: @letsencrypt

For more info on HTTPS and SSL/TLS performance see:

• Is TLS Fast Yet?
• High Performance Browser Networking, Chapter 4: Transport Layer Security
• Overclocking SSL
• Anatomy and Performance of SSL Processing

For more info on the importance of using HTTPS see:

• Why HTTPS for Everything? (The HTTPS-Only Standard)
• Let’s Encrypt (Internet Security Research Group)
• HTTPS Everywhere (Electronic Frontier Foundation)

To sum it up, let me quote Ilya Grigorik: "TLS has exactly one performance problem: it is not used widely enough. Everything else can be optimized."

Thanks to Chris - author of the HTTP vs HTTPS Test benchmark - for his comments below.

Answer 6

I made a small experiment and got 16% time difference for the same image from flickr (233 kb):

http://farm8.staticflickr.com/7405/13368635263_d792fc1189_b.jpg

https://farm8.staticflickr.com/7405/13368635263_d792fc1189_b.jpg

Of course these numbers depends on many factors, such as computer performance, connection speed, server load, QoS on path (the particular network path taken from browser to the server) but it shows the general idea: HTTPS is slowser then HTTP, since it requesres more operations to complete (SSL handshaking and encoding/decoding data).