Web Performance 101: SSL and Web Security

The Internet is an ever-growing repository of data – data which can be accessed publicly, and data that is either personal or highly classified which can only be accessed by those authorized to do so (in an ideal world, at least). There are a number of ways in which this data can be stolen or altered by hackers; the worldwide web cannot guarantee the safety of your data unless you ensure it is transferred and stored securely. Customers using online shopping and banking sites are easy targets for hackers and this has made it more important than ever to use data encryption as the first line of defense against cyber-attacks.

The big picture

Securing the online world is an ongoing battle; the number of data breaches has been on the rise for years. We have already witnessed a number of high-profile data breaches this year including the Clinton Campaign’s data breach and the 500 million user accounts stolen from Yahoo’s database.

Hackers use a number of different techniques to access customer data like phishing, DNS spoofing, code injection, to name a few. To keep your customer data safe, it is important to first collect/transfer data only through an encrypted channel. HTTP does not provide data security by default and this makes the connection vulnerable. On the other hand, HTTPS encrypts and secures the data exchange between the user (browser) and the website (server). HTTPS is a protocol that uses Secure Sockets Layer or SSL along with regular HTTP to establish a secure connection to transfer sensitive data over the internet.

SSL or TLS?

The terms SSL and TLS (Transport Layer Security) are often used interchangeably as both provide authentication and data encryption between a client and server. There are several versions of SSL, the successor to the last version of SSL (SSL 3.0) is called TLS – it is an improved version of the original SSL protocol. Even though TLS is the protocol currently supported by all browsers, it is commonly referred to as SSL.

Why do we need SSL?

SSL provides a secure channel between the client and server, allowing only encrypted transfers. Anyone trying to eavesdrop over an HTTP connection that uses SSL (HTTPS) will not be able to decipher the data being transferred. In addition to keeping your data safe, SSL is also used to protect the user’s identity. When a website requests for the geolocation or collects private information or preferences of the user as part of the website workflow, it must be encrypted or this data is exposed to anyone interested in harvesting sensitive user information.

Data such as phone numbers, social security numbers, bank account details and credit card info are constantly shared online by customers. The transfer of such data can be easily intercepted – a hacker can read the unsecured data, steal it or even rewrite the data making it easy to inject malicious code into the client’s system.

How is SSL integrated?

Implementing SSL on your website creates a trusted environment for your customers and significantly cuts down the chances of a data breach. To set up SSL –

• First you need to purchase an SSL certificate from an authorized vendor.
• The next step is to install or add this certificate to your webserver.
• Once the certificate is installed and activated, the pages that require encryption must be set to use HTTPS instead of HTTP.

How does it work?

When a customer transacts on a page that uses HTTPS, the server sends a copy off the SSL certificate to the browser for verification. A symmetric key pair is generated which is used to establish a secure channel between the browser and the server. The image explains the process; you can read a detailed explanation on this post.

SSL vs User Experience

If SSL is not implemented correctly it can affect site availability and performance. It is important to verify the authenticity of the SSL certificate vendor to prevent certificate errors. If the browser is unable to authenticate the server’s certificate, then it will block the user from accessing the website compromising the user experience altogether. Unsecured elements (including 3rd party objects) on pages served over HTTPS can be a major bottleneck. The page may either render with broken links and images or the page may not load at all. You must ensure SSL has been integrated properly and that it does not affect the digital experience. Read this interesting post to understand how SSL impacts performance and how Catchpoint was able to pinpoint the root cause of the issue.

SSL and HTTP/2

HTTP/2 is the latest version of HTTP that was developed using Google’s SPDY protocol. This version of HTTP provides enhanced speed, efficiency, and security. Although HTTP/2 supports secured and non-secured connections, browsers like Chrome and Firefox allows the use of HTTP/2 only over SSL. To enable HTTP/2 on a website it is mandatory to have the latest version of SSL/TLS implemented.

Most companies and businesses shy away from implementing SSL due to the cost and the overhead HTTPS adds to the page load time. We have explored the actual impact that SSL has on website performance here. When the page has SSL enabled, it requires extra round trips to establish a secure connection which impacts the site performance. Studies comparing HTTP/2 vs regular HTTPS transactions show that HTTP/2 is faster and more efficient as it allows multiplexing which has a positive impact on the page performance.

Prioritizing Security

A highly disturbing fact about the online world today is that cybercrime has become the norm. Every industry – eCommerce, healthcare, banking, educational and even military databases have become targets of cyber-attacks. It is important to implement at least the basic measures when it comes to protecting sensitive information. Using SSL/TLS provides a secure environment for users to share information and effectively prevent data breaches.