The Cost of Switching Over to SSL, How Hard Was it for Google?

Google has made some decisive changes to its services over the last few months. We have seen a redesigned Search, a redesigned YouTube, Google News, changes in Google Apps and the the addition of an Encrypted Search for enhanced security.


Google has provided HTTPS access from a long time on Gmail now. However, the latest decision to add SSL on other services in future and providing a separate encrypted page maintains the mojo Google is enjoying with the head-start this year.

HTTPS is a SSL encrypted HTTP which provides security. However we have not seen it appear on mainstream websites yet. SSL security has been an issue for too long. Most websites do not provide it because it is expected to be something of a high standard and is believed to require powerful servers. On the contrary, the truth is that HTTPS is not at all as resource intensive on the server as it is believed to be.

A Chrome Engineer at Google, Adam Langley writes at the Imperial Violet stating,

all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

However, the downside with SSL is that it includes a considerable latency in connection. This research reveals that there is a latency of 3.5x on SSL handshakes, the method of initializing a connection to  server. Basically, using SSL connections slows down connection establishment to a server. So did Google just compromise speed for security? Definitely not.

Google is using several mechanisms to reduce this latency. See this excerpt from the post at Langley’s blog.

OpenSSL tends to allocate about 50KB of memory for each connection. We have patched OpenSSL to reduce this to about 5KB.

Moreover Google also caches most HTTPS requests which allows it to serve them faster in subsequent queries. Google claims that this resume behavior takes place 50% of the time. SSL has been optimized at its best at Google.

These facts prove that SSL is not as resource intensive as it is blamed to be. The fact of it being more expensive is just a commercial aspect and a business policy.

However, for services that are not being served through SSL, they can fall prey to critical attacks like these.

Published by

Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. You can connect with him on Twitter @ckandroid.

  • Joseph A'Deo

    The latency is actually pretty negligible, if the SSL is implemented properly — the panic over slowness is unwarranted. What's unfortunate about Google's implementation, however, is that A) SSL connections are still optional, which means the people who need it most (those unaware of the nuance of online security) are least likely to use it. & B) they've failed to encrypt using the highest industry standard, Extended Validation, a move that would have *really* cut down on cloud-based phishing attempts. It's a step in the right direction, sure, but at VeriSign (I work for them) we feel like a few more need to be taken asap.

  • Pingback: Firesheep Vs Blacksheep the new security threat | Hijinks Inc.()