The Cost of Switching Over to SSL, How Hard Was it for Google?
By on July 4th, 2010

Google has made some decisive changes to its services over the last few months. We have seen a redesigned Search, a redesigned YouTube, Google News, changes in Google Apps and the the addition of an Encrypted Search for enhanced security.

google-logo

Google has provided HTTPS access from a long time on Gmail now. However, the latest decision to add SSL on other services in future and providing a separate encrypted page maintains the mojo Google is enjoying with the head-start this year.

HTTPS is a SSL encrypted HTTP which provides security. However we have not seen it appear on mainstream websites yet. SSL security has been an issue for too long. Most websites do not provide it because it is expected to be something of a high standard and is believed to require powerful servers. On the contrary, the truth is that HTTPS is not at all as resource intensive on the server as it is believed to be.

A Chrome Engineer at Google, Adam Langley writes at the Imperial Violet stating,

all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

However, the downside with SSL is that it includes a considerable latency in connection. This research reveals that there is a latency of 3.5x on SSL handshakes, the method of initializing a connection to  server. Basically, using SSL connections slows down connection establishment to a server. So did Google just compromise speed for security? Definitely not.

Google is using several mechanisms to reduce this latency. See this excerpt from the post at Langley’s blog.

OpenSSL tends to allocate about 50KB of memory for each connection. We have patched OpenSSL to reduce this to about 5KB.

Moreover Google also caches most HTTPS requests which allows it to serve them faster in subsequent queries. Google claims that this resume behavior takes place 50% of the time. SSL has been optimized at its best at Google.

These facts prove that SSL is not as resource intensive as it is blamed to be. The fact of it being more expensive is just a commercial aspect and a business policy.

However, for services that are not being served through SSL, they can fall prey to critical attacks like these.

Tags:
Author: Chinmoy Kanjilal Google Profile for Chinmoy Kanjilal
Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Chinmoy Kanjilal has written and can be contacted at chinmoy@techie-buzz.com.

Leave a Reply

Name (required)

Website (optional)

 
    Warning: call_user_func() expects parameter 1 to be a valid callback, function 'advanced_comment' not found or invalid function name in /home/keith/techie-buzz.com/htdocs/wp-includes/comment-template.php on line 1694
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN