Google edicts! We’re sick of them. The new HTTPS speed penalty is incredible. To us, it’s horrible and appalling. There is a myth HTTPS / SSL Certification makes no increase in page delays. Our testing says otherwise. Read on.
“HTTPS sites also load significantly faster. In a test on HTTP vs HTTPS.com, the unsecure version of the page loads 334% slower than HTTPS.” – A3 creative Solutions
“HTTPS did have an impact on my page load times, however the difference is negligible and I only noticed a 300 millisecond difference.” – Dean Hume“
I need to make an apology … On Tuesday, I switched Blogging Wizard over to SSL (https). But in the process, I managed to crash the site completely… twice. Yep, twice”. – Adam
The quotes above reveal the foolishness of many people about site security and speed. HTTPS / SSL server handshaking creates an initial stall in making Internet connections. There’s a slow delay before anything starts to render on your visitor’s browser screen. This delay is measured in Time-to-First-Byte information (aka TTFB).
The HTTPS overhead (delay) is NOT due to the encryption. The overhead is due to the SSL handshakes. An extra time-to-first-byte delay of about 400 to 500 milliseconds is typical. Sites that were under 100 milliseconds TTFB are now over 500 milliseconds TTFB. When your performance budget is 2 seconds, that’s 25 percent waste.
HTTPS is slower because it does double the work. A normal HTTP request does a “2-leg” delay for network connections. This a round-trip request and response. With HTTPS, you have 4-legs (2 round trips). It’s 100 milliseconds to travel between the client and the server. That means your first HTTPS request is at least 500 milliseconds. (That’s what we’re seeing happen.)
HTTPS handshake overhead appears in Time-to-First-Byte information (TTFB). Common TTFB ranges from under 100 milliseconds (best-case) to over 1.5 seconds (worst case). But, of course, with HTTPS it’s 500 milliseconds worse.
Roundtrip, wireless 3G connections can be 500 milliseconds or more. The extra trips double delays to 1 second or more. This is a big, negative impact on mobile performance. Very bad news.
So if you use SiteGround 1.2 second TTFB + 500 ms for SSL + 125 ms for CloudFlare redirect = 1.825 seconds TTFB total. Subtract that from 2 seconds and you don’t have much left (175ms). That’s the result on a desktop – not mobile.
To put those times in perspective, a free WordPress theme loads in under only 50 milliseconds.
HOW MANY HAVE MADE THE SWITCH TO HTTPS SO FAR?
SSL by Default Usage Statistics
Only 0.3 percent of Internet websites redirect users to a default HTTPS/SSL version. – trends.builtwith.com
Don’t make the switch to HTTPS only for SEO purposes. It’s a resource-intensive process and there’s no strong correlation between the two.
Google announced using HTTPS as a “lightweight” ranking signal in search algorithms. Google stated if all factors are equal, HTTPS will act as a tiebreaker in search engine results. That was in mid-2014.
Google didn’t get significant compliance after 2 years. So, they incentivized moving from HTTP to HTTPS. Google Chrome browsers started shaming unencrypted HTTP websites. How? With a little “shield icon” in the Chrome address bar. See chart below.
This information is found at https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html
Google Speed-Irony Strikes Again
We admit we love the irony of testing TTFB on Google’s page with ByteCheck.com online testing tool:
Google’s TTFB for their HTTPS-information page is 407 milliseconds. Oops! It could have been less than 100 milliseconds – if they left HTTPS off the site. Is there a monetary or even information transaction on this page? Nope. Sheer waste of speed. Especially for mobile users.
Let’s look at a few more examples:
This site formerly changed hosts to avoid a 1.5-millisecond TTFB. The new host had a TTFB of less than 100 milliseconds. Bravo! But today, after the site owner added SSL Certification, TTFB is 533 milliseconds. We ask: In this case, how much additional TTFB delay is caused by HTTPS / SSL Certification? Does he need SSL? No. He just has email signups. No monetary transactions!
459 milliseconds wasted!
That’s the same as adding a video or podcast player to every single page and post on the site.
If you botch installing HTTPS, you can end up with duplicate content issues. You’ll have both HTTP and HTTPS versions of your page getting indexed. Different versions of the same page might also show up in search engine results. This will confuse your visitors and lead to a negative user experience. HTTPS has a minor effect on search rankings. Producing quality, relevant content is still the most important SEO tactic.
To correct HTTPS problems, you have to do 301 redirects for every page and post of your site. Bummer! It takes time for Google to re-index your website and a certain drop in rankings will most likely happen.
“Don’t make the switch to HTTPS solely for SEO purposes. It’s a resource intensive process and there isn’t a strong correlation between the two.” – Neil Patel
There is no point serving a blog over HTTPS when you have no sensitive data exchanged. Why on earth would Google force you to do it? Why would you favor a secure blog over a non-secure blog, if you don’t exchange any sensitive data anyway?
“My recent profile of my homepage, HTTP vs HTTPS, the average load times were 1.5s and 4.5s, respectively. When looking at the connection details, the big slow down factor was the extra round trips due to the SSL handshake. Mobile browsers over 3G was even worse. The numbers were 5s and 9s, respectively.” – Clint Pachl
Do site owners realize the contradictory nature of Google edicts about speed?
Google’s claim: To help you stay safe on the web, Chrome requires websites to use certificates from trusted organizations. – support.google.com
The argument is that the website owner is assured they’re going to the right website owned by the right party. In a perfect world, this would be correct. In the world we live in though, it’s incorrect. Not because the certificate doesn’t verify the owner – it does. If a website housing a phishing page has verified HTTPS, it will show the user the lovely green padlock. Everyday users see the padlock and trust everything else from there, even if it’s from a different domain. Deception!
HTTPS isn’t going to stop the spying of anything. The average user doesn’t care. HTTPS is not going to stop websites from getting hacked. Nor the distribution of malware or keeping website owners safe.
Lets be honest–No one looks at site seals. As we progress forward the Green padlock does not mean you can Trust a website or its Databases, Frontend,. UI, or its back-end. HTTPS is not a SOLUTION to “hey my website is safe and secure now.” – Source
HIDDEN COSTS OF HTTPS
You can get an SSL certificate for free. Blog posts debate the value of a free SSL Certificate. But, the costs can shoot up to $1,499/year if you opt for an SSL certificate from a provider like Symantec. You don’t have to provide corporate documentation to get SSL Certification. The authorization may be a simple email. Confirm the email inquiry, and you’re accepted as the authorized domain holder. Can Free TLS Certificates provided by Let’s Encrypt still be hacked? Absolutely. Anyone can get an SSL certificate – including hackers. They can set up a site to harvest information.
SSL Certificates aren’t justifiable for small business owners with limited budgets. Are you a blog owner that only asks for email info from your visitors? You’re better off spending your limited budget somewhere else.
But what if you’re using secure PayPal as a payment gateway? Why do you have to wear the derogatory “Scarlet Letter” on your site’s address bar? Why does a site that’s collecting zero information from anyone need an SSL certificate? It makes no sense at all. If your website doesn’t have financial transactions, why do you need an SSL certificate?
If you have small, lightweight, 1M page weights or less, stick with HTTP. It’s all you need.
It’s often implied (pure lies?) HTTPS secures your website. It won’t. SSL Certification doesn’t make a website impervious to hackers. Labeling a site as secure because it has SSL is wrong. In error, users think they’re using a secure site when in reality it’s not better than before.
What HTTPS will do is deliver the intended good or bad information securely. We repeat “good or bad” information. HTTPS is indifferent to what’s transmitted. Infected websites distribute malware. HTTPS doesn’t do anything to ensure displayed information’s integrity. HTTPS will also deliver manipulated information to unsuspecting website visitors. Installing a Secure Socket Layer certificate prevents man-in-the-middle attacks. That’s it. It doesn’t warn of evil.
An encrypted HTTPS connection doesn’t stop attackers from hacking a website or server. It won’t stop an attacker from exploiting software vulnerabilities. They can still do brute force access. Or cause Distributed Denial of Services (DDOS) attacks.
Encrypting information over HTTPS can be a good thing for some users – but not all users.
If you need speed – and don’t have critical confidential information – forget HTTPS and SSL Certification. Stick with the cheaper and faster HTTP.
According to BuiltWith, the entire Internet has 0.3 percent SSL adoption. Hardly the massive exodus Google and hosts like GoDaddy would have us believe.
Google still says TTFB – time to first byte – should be 200 milliseconds or less. But even Google’s home page can’t follow that “specification” anymore. Speed tests give a red flag with slower TTFB. Google’s home page slowed down by 400 to 500 milliseconds. Google flunks their own test.
PagePipe is moving clients off shared hosting to Pressidium. Because they have a 100- to 200-millisecond TTFB. With added SSL overhead, that’s faster than shared hosts. The new hosting costs about 10 times more than cheap shared hosting. We can then tolerate the TTFB handshaking performance hit for mobile-dominant audiences.
SSL compliance is only to the advantage of hosting providers. They charge for SSL services or faster TTFB. No one else benefits. We don’t care what they say about improved data security. SSL is false security. You can study that for yourself. Those with technical savvy know HTTPS is as vulnerable to tricksters and hackers. Perhaps more so.
Who wants improved data security? Google? Not improved site security – improved DATA security. Why? Because they’re in the “data collection and analysis” business. They need clean data. Not fake data. Fake data would destroy Google’s pristine credibility – and source of profits.
QWith the improvements in browser throughput etc that comes with http/2 vs http/1.1, aren’t visitors likely to see significantly faster load times for https sites that include many small file downloads etc?
A: Is your host an HTTP/2 provider? How much does it cost? If so, then don’t worry about it. It’s encrypted already. But most of the world can’t afford the extra cost of HTTP/2. And it’s not available everywhere – yet. Note: Most HTTP sites have actually no need for encryption of any sort.
QAren’t there security benefits for encrypting traffic between the visitor and the server?
A: This is a vaporous web myth. Perpetuating it makes hosts millions of dollars selling little green badges. How does Google benefit – since they are the ones cramming this down our throats by blackmail? The idea SSL makes the web safer is ridiculous. There’s no reward.
QThe upcoming Chrome browser updates will show all non-https sites as “insecure.” Doesn’t this have an impact on user perception even when there is no sensitive data exchanged?
A: Without question. Google Chrome shames site owners into compliance. This is absolute blackmail by Google to change the Internet for their gain. How deep is our disdain? Defeating. We can’t believe the world is caving into this.
We care so much about the mobile speed 500-millisecond penalty we’re distraught. “Why try? It’s futile.” We’re David. They’re Goliath.
“Undoubtedly, Google loves its users and therefore, is coming up with every possible way to make us feel secure here on the Internet.” – Source
Baloney! Propaganda! Note all the SSL buttons on this source link above are “go” links – in other words, affiliate links. The author gets a kickback selling SSL certificates! How credible are these sources?
Is the Internet going crazy? Completely!
Google doesn’t do things without getting something back. So what is it? Google keeps data collected from free Google Font users, free Google Maps users, free Google Analytics, etc, etc. Google’s secret motivation for SSL is about “clean and pure data” – not your safety. It’s always collected free data to make money. Google contradicts their own speed policies to make SSL compliance happen. Don’t be fooled. It’s not altruism. Eavesdropping conspiracy? Nah! Google wouldn’t do that. Would they? That would be like Russian’s trying to fiddle with American elections. Too Big Brother. Orwellian snooping?
But if site data is encrypted, Google can’t be accused by anyone of illegal spying. Convenient. It’s then legal instead.
Google isn’t spying on users. It’s monitoring user activities with their consent. Whenever you use Google products, you’re presented with the terms and conditions. Users accept this before proceeding to use Google products. Users are accepting paying with their data instead of paying with money. Google keeps track of all possible data. Except sensitive details like credit card and banking details – and now with SSL they can prove it. Right?
Legal spying is called data collection, not spying.
‘Secure’ in Chrome Browser Does Not Mean ‘Safe’
Other than verifying that the domain owner actually owns the website, the certificate authority is not required to do anything else. SECURE does not mean that the domain is “Trusted”, “Safe”, “Not malicious” or anything else. Many phishing sites have a valid certificate issued by LetsEncrypt and appear as ‘Secure’ in the Chrome browser.
Cybercriminals slap a SSL certificate on their website and fool users into believing they’re safe. Because, let’s be honest, the average internet user has no idea what connection security is, much less what to look for. Too many people believe Secure = Safe. – Source
Last week our host, GoDaddy, emailed and then called us by phone saying Google was making the *big* Chrome change real soon. We needed to switch to SSL right away. Emergency! And that had a price tag. We refused to pay the $69.00 dollars minimum per domain per year. None of our domains “need” SSL.
GoDaddy has 17 million customers. Do the math.
That’s over 11 BILLION dollars pure profit. GoDaddy loves customers drinking the Google Kool-aid.
We loathe the pure absurdity of Herd Mentality.
It’s killing web speed.
A few extra thoughts: When someone tells us the sky is falling (you must have SSL), we always go, “Huh? We guess we missed that emergency.” Most of these events seem concocted and man made. Exaggerated to cause a sense of panic. When we research the root cause, there was a knee-jerk backlash overreaction to some anxiety producing change. That “scare” grew disproportionately into a “web myth” – and then dogma.
This goes especially for promises of SSL security, SEO ranking, and performance speed. People are ripped off buying “promises of success and wealth.”
These panics – and ignorance – sell fear for profit, not actual results of helpful productivity. Scams prevail. In the case of SSL, we’re talking billions of dollars to fight a boogie man.
Panic gets people to act. So we approach these “web mandates” with skepticism (propaganda?). We also don’t like bullies telling us there’s only one way to do things. Their way! Philosophical absolutism is rarely real truth.