Google has made some decisive changes to its services over the last few months. We have seen a redesigned Search, a redesigned YouTube, Google News, changes in Google Apps and the the addition of an Encrypted Search for enhanced security.
Google has provided HTTPS access from a long time on Gmail now. However, the latest decision to add SSL on other services in future and providing a separate encrypted page maintains the mojo Google is enjoying with the head-start this year.
HTTPS is a SSL encrypted HTTP which provides security. However we have not seen it appear on mainstream websites yet. SSL security has been an issue for too long. Most websites do not provide it because it is expected to be something of a high standard and is believed to require powerful servers. On the contrary, the truth is that HTTPS is not at all as resource intensive on the server as it is believed to be.
A Chrome Engineer at Google, Adam Langley writes at the Imperial Violet stating,
all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.
However, the downside with SSL is that it includes a considerable latency in connection. This research reveals that there is a latency of 3.5x on SSL handshakes, the method of initializing a connection to server. Basically, using SSL connections slows down connection establishment to a server. So did Google just compromise speed for security? Definitely not.
Google is using several mechanisms to reduce this latency. See this excerpt from the post at Langley’s blog.
OpenSSL tends to allocate about 50KB of memory for each connection. We have patched OpenSSL to reduce this to about 5KB.
Moreover Google also caches most HTTPS requests which allows it to serve them faster in subsequent queries. Google claims that this resume behavior takes place 50% of the time. SSL has been optimized at its best at Google.
These facts prove that SSL is not as resource intensive as it is blamed to be. The fact of it being more expensive is just a commercial aspect and a business policy.
However, for services that are not being served through SSL, they can fall prey to critical attacks like these.