It’s widely acknowledged that offering HTTPS connections on sites of all different types is a good thing for security and privacy. Encrypted connections prevent eavesdropping, man-in-the-middle attacks, and the altering of data traveling over the connection. However, owners of some types of site — although they may acknowledge the theoretical benefit — think the negatives outweigh the positives. They worry about the cost and complexity of implementing SSL / TLS, the difficulty of managing certificates, and I’ve quite often heard site owners complaining about the potential performance impact of establishing SSL / TLS connections.
I’d like to address the latter point. Will offering SSL / TLS — referred to as TLS from this point on — connections impact the performance of a site or increase the use of server resources?
The short answer: yes, it will do both, but unless you’re serving huge numbers of encrypted connections, the impact is so small that is has a negligible real world impact.
Establishing an encrypted connection requires more round-trips than establishing a non-encrypted connection — keys have to be exchanged and so on. Clearly, if there are more round-trips when establishing the connection, it takes longer to start sending the data that really matters.
In reality, the additional latency is usually somewhere in the order of 20 milliseconds up to half a second in the worst cases. With solid hosting and a decent connection to the client, it’s likely to be towards the faster end of the spectrum, which is a negligible increase when compared to the security benefits. Delays towards the other end of the spectrum are unacceptable, but unlikely, and it depends on the specific hosting and network circumstances of the site in question. I usually advise site owners to test and optimize if they find problems.
TLS connections can be optimized to some degree.
Increased Resource Use
A decade ago, the encryption overhead from setting up and maintaining TLS connections could be a significant burden for servers. Today, CPUs are substantially faster and the code has been radically optimized. Once again, there is a theoretical increase in the resources used, but it makes little difference to real world performance.
It’s long been a myth that data sent over TLS connections isn’t cached. Back in the day, browsers were incapable of caching TLS connections. Now almost all are. The only browsers that can’t are legacy applications with vanishingly small numbers of users (Internet Explorer 6). For all but the most niche applications, this isn’t an issue any more.
Unless you run a site that sees massive amounts of traffic, implementing TLS connections will make next-to-no difference to real-world performance.