COMPARISON BETWEEN HTTP AND HTTPS PERFORMANCE [602760]

COMPARISON BETWEEN HTTP AND HTTPS PERFORMANCE
A performance analysis of HTTP and HTTPS

Cristian Udrescu
University POLITEHNICA of Bucharest
Bucharest, Romania
[anonimizat]

Abstract — the increased concern for security in web
application s and privacy of user information has led to
increasing adoption of the HTTPS protocol over HTTP. The
benefits given by the encrypted communication offered by
HTTPS comes with a few costs determined by the overhead
introduced in terms of infrastructure, latency and data usage.
Additionally any services between the server and client such as
proxies and caches become ineffective due to the opaqueness of
the communication.
This paper addresses the performance o verhead added by the
HTTPS protocol over HTTP by measuring the average loading
time for a large data set in different formats in a web application
deployed on different servers .

Keywords — network protocols, HTTPS performance, TLS,
SSL

I. INTRODUCTION

The HyperText Transfer Protocol (HTTP) was
introduced in 1997 when the Internet and web applications
were still in an early stage and most websites consisted of
static content displ ayed in a browser. Since then, t he Internet
has changed significantly becoming the primary
infrastructure for communication, commerce, education and
information storage and access. Enabling users to easily
communicate sensitive information online was a necessary
condition for its growth.
The core protocols of World Wide Web, namely HTTP
and HTML were not designed with security in mind. As a
result, a series of new technologies have been gradually
introduced to the basic web stack.
HTTPS is the dominant protocol used to secure web
traffic and consists of layering HTTP traffic over the
SSL/TLS encrypted transport protocols.
While originally developed for websites that required
data confidentiality or authentication between server and
client, like online -banking systems or e -commerce services,
the increased concern for users’ privacy has led to the
adoption of HTTPS by the large majority of websites, such
as Gmail, Facebook or YouTube. Google announced its intention to implement HTTPS
for all the services it provides (Fig 1) .

Figure 1. Adoption of HTTPS in Google services

According to [1] more than 50 % of the web traffic today
is secured through HTTPS and this number is increasing.
However, security comes at a cost and HTTPS makes no
exception.
While encryption provides a clear benefit to the user in
terms of confidentiality and authentication it could have
implications that are harder to assess. Middleware services
aiming to reduce the amount of traffic, compress content
before transmission or filter inappropriate/undesired content
to protect users suddenly become ineffective in the presence
of encryption.
In this article we aim to determine the performance
overhead added by this prot ocol when compared to HTTP.
We will analyze how TLS impacts latency and data –
consumption. HTTPS requires an additional handshake
between the client and the server and adds computational
cost for encryption operations. Our goal is to determine how
significant this costs are for a web application. In the
following paragraphs we will do an overview of the HTTPS
protocol, present the testing mechanism we developed and
the performance difference that we noticed.
II. RELATED WORK
Security of the web communication has been the subject
of a lot of research and HTTPS in particular has received a
lot of academic attention. However most papers have
focused on the implementation details or the potential
vulnerabilities of the protocol and how they can be avoided.
In [2] the auth ors do an analysis of the underlying model
of the HTTPS protocol and its certificate and go through the

security challenges the protocol has faced since its creation
and the enhancements done to overcome this issues.
Another research done in [3 ] focuses on HTTPS
hijacking attacks and proposes three different measures to
defend against it, which are static ARP table, enhanced
certificate system and two -way authentication.
The article [4 ] researches HTTPS vulnerability against
SSL-MITM (SSL Man in the Middle) attacks and suggests a
few methodologies to prevent the decoding of confidential
data.
We have found only 2 articles whose main subject is
similar to our paper tackling the costs introduced by HTTPS
and the performance overhead it brings when compared to
HTTP.
The first article “A comparison o f HTTP and HTTPS
performance” [5 ] was published in 1998 by Arthur
Goldberg, Robert Buff and Andrew Schmitt and compares
the performance of encrypted and un -encrypted web
communications.
The authors have compared the average and median
response time for the same application serving static HTML
documents on two popular web servers at that time, Netscape
Enterprise Server 3.5.1 and Microsoft IIS 4.0 and concluded
that encryption increases this time by at most 22%.
The se cond article “The cost of the S in HTTPS” [6],
published in 2014, takes a more complete view of the
overhead introduced by HTTPS analyzing the adoption rate
of HTTPS over the last 3 years and the costs of webpage
load time, data usage, battery life of devices and loss of
value -added services.
In order to quantify the HTTPS page load time overhead
the authors measured the load time for the top 500 Alexa
sites 20 times, first using HTTP and then HTTPS. The pages
were downloaded using the PhantomJS headless browser
running on a Linux PC connected to a 3G USB modem and
via fiber.
The results show that using HTTPS significantly
increases load time. For a 3G connection the extra latency is
larger than 500 ms for about 90% of websites resulting in an
inflation factor larger than 1.5x. On fiber the ext ra latency is
smaller but still significant resulting in a 1.3x increase. An
important factor of the load overhead is the time required to
establish a connection and the increased time per handshake
caused primarily by TLS negotiation overhead.
HTTPS also impacts the volume of data usage due to the
size of TLS handshake and the inability to use network
caches or compression proxies.
The impact of TLS handshake is determined by the size
of data transferred through the connection , the more data
transferred t he lower the negotiation cost . Measurements
done by the authors show that the average TLS negotiation
overhead amounts to 5% of the total volume of data.
In regard to the second cause of increased data usage the
article concluded that m ost users are unlik ely to notice
significant jumps in data usage due to loss of compression, but ISPs stand to see a large increase in upstream traffic due
to loss of caching.
The effect on battery life has been tested on a mobile
device with a power meter that samples the c urrent drawn by
the phone while loading a webpage 50 times over HTTP and
HTTPS using Chrome for Android. The conclusion of this
test was that HTTPS cryptographic operation have almost no
impact on energy costs.
The loss of value -added services , such as dee p packet
inspection, simple URL filtering, content prioritization or
blocking tracking cookies, is difficult to quantify but has an
impact on the performance of web applications.
Each of the papers mentioned above analyzes the
performance difference betwee n HTTPS and HTTP and
provides benchmarked results to support the conclusion that
HTTPS adds an overhead in page loading time that can be
critical especially in mobile networks .
While the articles above conducted their tests by
measuring the load time of a webpage, this paper focuses on
measuring the overhead added by HTTPS to the response
time of REST services using different response formats such
as JSON, XML or OCTET_STREAM.

III. PROTOCOL OVERVIEW
IV. EXPERIMENT AL METHODOLOGY
V. EXPERIMENT AL RESULTS
VI. CONCLUSION
VII. REFERENCES
[1] Kranch, Michael, and Joseph Bonneau. "Upgrading HTTPS in Mid -Air."
(2015) .
[2] Clark, Jeremy, and Paul C. van Oorschot. "SoK: SSL and HTTPS:
Revisiting past challenges and evaluating certificate trust model
enhancements." Security and Privacy (SP), 2013 IEEE Symposium o n.
IEEE, 2013 .
[3] Cheng, Kefei, Meng Gao, and Ruijie Guo. "Analysis and research on
HTTPS hijacking attacks." Networks Security Wireless Communications
and Trusted Computing (NSWCTC), 2010 Second Internat ional
Conference o n. Vol. 2. IEEE, 2010 .
[4] Chomsiri, Thawatchai. "HTTPS H acking protection." Advanced
Information Networking and Applications Workshops, 2007, AINAW'07.
21st International Conference o n. Vol. 1. IEEE, 2007 .
[5] Goldberg, Arthur, Robert Buff, and Andrew Schmitt. "A comparison of
HTTP and HTTPS performance." Computer Measurement Group,
CMG98 (1998).
[6] Naylor, David, et al. "The cost of the s in https." Proceedings of the
10th ACM International on Confere nce on emerging Networking
Experiments and Technologie s. ACM, 2014 .