HTTPS is the future(HTTP/2.0)? How about the SSL overhead(for CPU)?

Started by BenYeeHua, December 22, 2013, 09:31:33 AM

Previous topic - Next topic

BenYeeHua

As we know, HTTP/2.0 will force HTTPS(Might be changed), doing this is not a bad issues for User, but how about the SSL overhead?

As Bitsum forum is using HTTPS, I wonder how many CPU usage for forcing it, and what's the issues for forcing it? :)
For the overhead for network handshake, it will not becoming a issues for HTTPS/2.0 or SPDY i guess(as only 1 connection for the server), except the keep alive is not there, or it is timeout.

Anyways, it is still surprised that Google only get less than 1% of CPU load, but it is not the case for other people.
I wonder how "stronger" is the CPU that Google is using... :o
QuoteIn January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.
https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

Some information about HTTP/2.0
http://http2.github.io/http2-spec/#rfc.section.9.2
http://bitsup.blogspot.com/2013/08/ssl-everywhere-for-http2-new-hope.html
http://www.guypo.com/feo/http2-0-is-good-news-for-cdns-and-feo/

For HTTP/1.1 switch to SSL
http://www.artandlogic.com/blog/2013/05/to-ssl-or-not-to-ssl/
http://www.artandlogic.com/blog/2013/06/performance-tuning-all-ssl-webapps/

Issues for SSL
http://www.mysqlperformanceblog.com/2013/10/10/mysql-ssl-performance-overhead/
http://blog.twitch.tv/2013/06/regarding-recent-chat-issues/

Ways to get started with SSL
http://erik.io/blog/2013/06/08/a-basic-guide-to-when-and-how-to-deploy-https/

BenYeeHua


Jeremy Collake

Yep, Google has demonstrated that this can be done without any substantial increase in computational or memory load. I have been tempted to switch all bitsum.com pages to SSL.
Software Engineer. Bitsum LLC.

BenYeeHua

So did you found out the overhead is high?
And did you success to get it lower? :)

Jeremy Collake

There just hasn't been any compelling reason to go 100% SSL, and uncertainty as to the end net effect. Business hates uncertainty. That's why Google's published results are so important, they help to predict the impact. Still, even if performance concerns are of little consequence, there are other possible complications to making a full switch.
Software Engineer. Bitsum LLC.

BenYeeHua

Yes, based on what's I know, SSL is more issues than HTTP/without SSL, if the servers don't set/config the right thing, and browser has to workaround/fix it, or the user can't browser that website.

And too bad that, so far only Google said that they are getting less than 1% CPU usage, 2% network overhead, and there are no more information about it(you know, more core/stronger the CPU, network, the less of the Usage), the other company also don't said that what they are facing while switching to SSL.

If HTTP/2.0 really forcing SSL all the ways, it is good for user, but bad for business like what you said.
I hope they will not cancel this decision, as a user.

Just look at many Bank website, so far they only using HTTPS for their login page, not 100% SSL, as a Hotel that providing WiFi, I can said that this will be a easy jobs to change that link for login page to a fake one, if they are using Google Chrome, Firefox etc, which also forcing HTTPS for Google.(so it means that I can't change the result on Google, only the bank.)
Of cause I can using DNS one to my fake website, most people don't know what is HTTP/HTTPS, they will not found that it is HTTP, not HTTPS.
PS:I am not doing this, this is just a example.

Anyways, they has a workaround for reducing this 'uncertainty', right?
Like start using CDN which supporting SDPY or HTTP/2.0(in the future), while keeping the server as HTTP/1.1.
The only bad thing about this, I guess is the money, so the small company/website can't using this workaround.

Anyways, let's see that did they will success to force SSL for HTTP/2.0 or not, and there will be many topic about how to reducing the overhead of SSL etc. :)