HTTPS / SSL and its negative impact on mobile speed.

Updated: November 2018
No bloat
INTERNATIONAL SITE OWNERS: Get under 2-second load time on cheap, shared magnetic hosting. No CDN cheating. And still use dozens of free WordPress plugins!

Google edicts! We’re sick of them. The new HTTPS speed penalty is incredible. To us, it’s horrible and appalling. There is a myth HTTPS / SSL Certification makes no increase in page delays. Our testing says otherwise. Read on.

“HTTPS sites also load significantly faster. In a test on HTTP vs HTTPS.com, the unsecure version of the page loads 334% slower than HTTPS.” – A3 creative Solutions

“HTTPS did have an impact on my page load times, however the difference is negligible and I only noticed a 300 millisecond difference.” – Dean Hume

I need to make an apology … On Tuesday, I switched Blogging Wizard over to SSL (https). But in the process, I managed to crash the site completely… twice. Yep, twice”. – Adam

The quotes above reveal the foolishness of many people about site security and speed. HTTPS / SSL server handshaking creates an initial stall in making Internet connections. There’s a slow delay before anything starts to render on your visitor’s browser screen. This delay is measured in Time-to-First-Byte information (aka TTFB).

The HTTPS overhead (delay) is NOT due to the encryption. The overhead is due to the SSL handshakes. An extra time-to-first-byte delay of about 400 to 500 milliseconds is typical. Sites that were under 100 milliseconds TTFB are now over 500 milliseconds TTFB. When your performance budget is 2 seconds, that’s 25 percent waste.

HTTPS is slower because it does double the work. A normal HTTP request does a “2-leg” delay for network connections. This a round-trip request and response. With HTTPS, you have 4-legs (2 round trips). It’s 100 milliseconds to travel between the client and the server. That means your first HTTPS request is at least 500 milliseconds. (That’s what we’re seeing happen.)

HTTPS handshake overhead appears in Time-to-First-Byte information (TTFB). Common TTFB ranges from under 100 milliseconds (best-case) to over 1.5 seconds (worst case). But, of course, with HTTPS it’s 500 milliseconds worse.

Roundtrip, wireless 3G connections can be 500 milliseconds or more. The extra trips double delays to 1 second or more. This is a big, negative impact on mobile performance. Very bad news.

So if you use SiteGround 1.2 second TTFB + 500 ms for SSL + 125 ms for CloudFlare redirect = 1.825 seconds TTFB total. Subtract that from 2 seconds and you don’t have much left (175ms). That’s the result on a desktop – not mobile.

To put those times in perspective, a free WordPress theme loads in under only 50 milliseconds.

HOW MANY HAVE MADE THE SWITCH TO HTTPS SO FAR?

SSL by Default Usage Statistics
Only 0.3 percent of Internet websites redirect users to a default HTTPS/SSL version. – trends.builtwith.com [Note: Click that All Internet stat button. Flat as a pancake growth.]

Big companies are the most compliant. Why? We suggest SEO PARANOIA. Fear of Google. Yep. Google has too much power. But you already knew that.

Don’t make the switch to HTTPS only for SEO purposes. It’s a resource-intensive process and there’s no strong correlation between the two.

Less than 0.3 percent! Hardly the stampede of panic many bloggers claim. Some are saying 30 percent of the web made the switch. That inflated bump occurred after Wikipedia switched to HTTPS. This shows the impact one powerhouse site can have. The English Wikipedia includes 5,475,729 articles and it averages 650 new articles per day. You can see why it made a statistical difference in HTTPS usage. But that hardly means everyone is using HTTPS.

Google announced using HTTPS as a “lightweight” ranking signal in search algorithms. Google stated if all factors are equal, HTTPS will act as a tiebreaker in search engine results. That was in mid-2014.

Google didn’t get significant compliance after 2 years. So, they incentivized moving from HTTP to HTTPS. Google Chrome browsers started shaming unencrypted HTTP websites. How? With a little “shield icon” in the Chrome address bar. See the chart below.

This information is found at https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

How Google scarlet-letter shaming looks today:

This “not secure” warning appears only if form fields need populating. No form on the page? Then no scary warning.

So how do we get around not having SSL warning on PagePipe? We don’t use forms. We use text email links and protect them from spammers with this plugin:

★★★★★
Email Address Encoder
Active installs: 100,000+
Zip file size: 5k
All-time downloads: 332,978
Retention rate: 30 percent (high)

Doesn’t not using SSL Certification affect our SEO? Not in the least. Google said if everything on two sites is equal then SSL tips the scale for ranking. When are two sites ever exactly the same in Google’s 200-factor PageRank algorithm? (Factors are also known as signals). NEVER!

According to Google, HTTPS only acts as a “tiebreaker”.

Google Speed-Irony Strikes Again

We admit we love the irony of testing TTFB on Google’s page with ByteCheck.com online testing tool:

Please note: ByteCheck is an HTTP site – not an HTTPS site. They know the price. Shown above 407-millisecond delay on a Google page. Yes. Even Google’s homepage for search has this new delay. Incredible!

Google’s TTFB for their HTTPS-information page is 407 milliseconds. Oops! It could have been less than 100 milliseconds – if they left HTTPS off the site. Is there a monetary or even information transaction on this page? Nope. Sheer waste of speed. Especially for mobile users.

Let’s look at a few more examples:

This site formerly changed hosts to avoid a 1.5-millisecond TTFB. The new host had a TTFB of fewer than 100 milliseconds. Bravo! But today, after the site owner added SSL Certification, TTFB is 533 milliseconds. We ask: In this case, how much additional TTFB delay is caused by HTTPS / SSL Certification? Does he need SSL? No. He just has email signups. No monetary transactions!

http://bytecheck.com/

459 milliseconds wasted!

That’s the same as adding a video or podcast player to every single page and post on the site.

If you botch installing HTTPS, you can end up with duplicate content issues. You’ll have both HTTP and HTTPS versions of your page getting indexed. Different versions of the same page might also show up in search engine results. This will confuse your visitors and lead to a negative user experience. HTTPS has a minor effect on search rankings. Producing quality, relevant content is still the most important SEO tactic.

To correct HTTPS problems, you have to do 301 redirects for every page and post of your site. Bummer! It takes time for Google to re-index your website and a certain drop in rankings will most likely happen.

“Don’t make the switch to HTTPS solely for SEO purposes. It’s a resource intensive process and there isn’t a strong correlation between the two.” – Neil Patel

There is no point in serving a blog over HTTPS when you have no sensitive data exchanged. Why on earth would Google force you to do it? Why would you favor a secure blog over a non-secure blog, if you don’t exchange any sensitive data anyway?

“My recent profile of my homepage, HTTP vs HTTPS, the average load times were 1.5s and 4.5s, respectively. When looking at the connection details, the big slow down factor was the extra round trips due to the SSL handshake. Mobile browsers over 3G was even worse. The numbers were 5s and 9s, respectively.” – Clint Pachl

Do site owners realize the contradictory nature of Google edicts about speed?

Google’s claim: To help you stay safe on the web, Chrome requires websites to use certificates from trusted organizations. – support.google.com

The argument is that the website owner is assured they’re going to the right website owned by the right party. In a perfect world, this would be correct. In the world we live in though, it’s incorrect. Not because the certificate doesn’t verify the owner – it does. If a website housing a phishing page has verified HTTPS, it will show the user the lovely green padlock. Everyday users see the padlock and trust everything else from there, even if it’s from a different domain. Deception!

HTTPS isn’t going to stop the spying of anything. The average user doesn’t care. HTTPS is not going to stop websites from getting hacked. Nor the distribution of malware or keeping website owners safe.

Lets be honest–No one looks at site seals. As we progress forward the Green padlock does not mean you can Trust a website or its Databases, Frontend,. UI, or its back-end. HTTPS is not a SOLUTION to “hey my website is safe and secure now.” – Source

HIDDEN COSTS OF HTTPS

You can get an SSL certificate for free. Blog posts debate the value of a free SSL Certificate. But, the costs can shoot up to $1,499/year if you opt for an SSL certificate from a provider like Symantec. You don’t have to provide corporate documentation to get SSL Certification. The authorization may be a simple email. Confirm the email inquiry, and you’re accepted as the authorized domain holder. Can Free TLS Certificates provided by Let’s Encrypt still be hacked? Absolutely. Anyone can get an SSL certificate – including hackers. They can set up a site to harvest information.

SSL Certificates aren’t justifiable for small business owners with limited budgets. Are you a blog owner that only asks for email info from your visitors? You’re better off spending your limited budget somewhere else.

But what if you’re using secure PayPal as a payment gateway? Why do you have to wear the derogatory “Scarlet Letter” on your site’s address bar? Why does a site that’s collecting zero information from anyone need an SSL certificate? It makes no sense at all. If your website doesn’t have financial transactions, why do you need an SSL certificate?

PagePipe lets PayPal take care of SSL Certification for ebook transactions.

If you have small, lightweight, 1M page weights or less, stick with HTTP. It’s all you need.

It’s often implied (pure lies?) HTTPS secures your website. It won’t. SSL Certification doesn’t make a website impervious to hackers. Labeling a site as secure because it has SSL is wrong. In error, users think they’re using a secure site when in reality it’s not better than before.

Let’s Encrypt has reportedly issued over 14,000 certificates to domains that impersonate PayPal. – source

What HTTPS will do is deliver the intended good or bad information securely. We repeat “good or bad” information. HTTPS is indifferent to what’s transmitted. Infected websites distribute malware. HTTPS doesn’t do anything to ensure displayed information’s integrity. HTTPS will also deliver manipulated information to unsuspecting website visitors. Installing a Secure Socket Layer certificate prevents man-in-the-middle attacks. That’s it. It doesn’t warn of evil.

SSL certificates are there only to ensure message confidentiality, but not server identity. … You couldn’t trust SSL for owner identity before Let’s Encrypt either, nothing has changed. – source

An encrypted HTTPS connection doesn’t stop attackers from hacking a website or server. It won’t stop an attacker from exploiting software vulnerabilities. They can still do brute force access. Or cause Distributed Denial of Services (DDOS) attacks.

The problem with making something freely available to anyone that wants to use it, something like free certificates, is that in short order you can be sure that there will be some unsavory characters wanting to use it. As you’d expect this was exactly the case and the bad guys very quickly started encrypting their websites too. This is a testament to just how easy and painless Let’s Encrypt have made the process of obtaining certificates. – source

Encrypting information over HTTPS can be a good thing for some users – but not all users.

If you need speed – and don’t have critical confidential information – forget HTTPS and SSL Certification. Stick with the cheaper and faster HTTP.

PagePipe’s TTFB is 208 milliseconds on cheap shared GoDaddy hosting. No HTTP / SSL Certificate delays added to global load times. Our book sales are handled using secure PayPal transactions.

OTHER READING:
https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/

According to BuiltWith, the entire Internet has 0.3 percent SSL adoption. Hardly the massive exodus Google and hosts like GoDaddy would have us believe.

Google still says TTFB – time to first byte – should be 200 milliseconds or less. But even Google’s homepage can’t follow that “specification” anymore. Speed tests give a red flag with slower TTFB. Google’s homepage slowed down by 400 to 500 milliseconds. Google flunks their own test.

PagePipe is moving clients off shared hosting to Pressidium. Because they have a 100- to 200-millisecond TTFB. With added SSL overhead, that’s faster than shared hosts. The new hosting costs about 10 times more than cheap shared hosting. We can then tolerate the TTFB handshaking performance hit for mobile-dominant audiences.

SSL compliance is only to the advantage of hosting providers. They charge for SSL services or faster TTFB. No one else benefits. We don’t care what they say about improved data security. SSL is false security. You can study that for yourself. Those with technical savvy know HTTPS is as vulnerable to tricksters and hackers. Perhaps more so.

Who wants improved data security? Google? Not improved site security – improved DATA security. Why? Because they’re in the “data collection and analysis” business. They need clean data. Not fake data. Fake data would destroy Google’s pristine credibility – and source of profits.

QWith the improvements in browser throughput etc that comes with http/2 vs http/1.1, aren’t visitors likely to see significantly faster load times for https sites that include many small file downloads etc?

A: Is your host an HTTP/2 provider? How much does it cost? If so, then don’t worry about it. It’s encrypted already. But most of the world can’t afford the extra cost of HTTP/2. And it’s not available everywhere – yet. Note: Most HTTP sites have actually no need for encryption of any sort.

QAren’t there security benefits for encrypting traffic between the visitor and the server?

A: This is a vaporous web myth. Perpetuating it makes hosts millions of dollars selling little green badges. How does Google benefit – since they are the ones cramming this down our throats by blackmail? The idea SSL makes the web safer is ridiculous. There’s no reward.

QThe upcoming Chrome browser updates will show all non-https sites as “insecure.” Doesn’t this have an impact on user perception even when there is no sensitive data exchanged?

A: Without question. Google Chrome shames site owners into compliance. This is absolute blackmail by Google to change the Internet for their gain. How deep is our disdain? Defeating. We can’t believe the world is caving into this.

We care so much about the mobile speed 500-millisecond penalty we’re distraught. “Why try? It’s futile.” We’re David. They’re Goliath.

Quote:
“Undoubtedly, Google loves its users and therefore, is coming up with every possible way to make us feel secure here on the Internet.” – Source

Baloney! Propaganda! Note all the SSL buttons on this source above are “go” links – in other words, affiliate links. The author gets a kickback selling SSL certificates! How credible are these sources?

Is the Internet going crazy? Completely!

Google doesn’t do things without getting something back. So what is it? What gives with the Google hypocrisy? It’s not madness. It’s logic.

Google keeps data collected from free Google Font users, free Google Maps users, free Google Analytics, etc, etc. Google’s secret motivation for SSL is about “clean and pure data” – not your safety. It’s always collected free data to make money. Google contradicts their own speed policies to make SSL compliance happen. Don’t be fooled. It’s not altruism. Eavesdropping conspiracy? Nah! Google wouldn’t do that. Would they? That would be like Russian’s trying to fiddle with American elections. Too Big Brother. Orwellian snooping?

But if site data is encrypted, Google can’t be accused by anyone of illegal spying. Convenient. It’s then legal instead.

Google isn’t spying on users. It’s monitoring user activities with their consent. Whenever you use Google products, you’re presented with the terms and conditions. Users accept this before proceeding to use Google products. Users are accepting paying with their data instead of paying with money. Google keeps track of all possible data. Except for sensitive details like credit card and banking details – and now with SSL, they can prove it. Right?

Legal spying is called data collection, not spying.

‘Secure’ in Chrome Browser Does Not Mean ‘Safe’

Other than verifying that the domain owner actually owns the website, the certificate authority is not required to do anything else. SECURE does not mean that the domain is “Trusted”, “Safe”, “Not malicious” or anything else. Many phishing sites have a valid certificate issued by LetsEncrypt and appear as ‘Secure’ in the Chrome browser.

Cybercriminals slap a SSL certificate on their website and fool users into believing they’re safe. Because, let’s be honest, the average internet user has no idea what connection security is, much less what to look for. Too many people believe Secure = Safe. – Source

1.4 Million new Phishing Websites are Created Every Month

Last week our benevolent host, GoDaddy, emailed and then called us by phone saying Google was making the *big* Chrome change real soon. We needed to switch to SSL right away. Emergency! And that had a price tag. We refused to pay the $69.00 dollars minimum per domain per year. None of our domains “need” SSL.

GoDaddy has 17 million customers. Do the math.

That’s over 11 BILLION dollars pure profit. GoDaddy loves customers drinking the Google Kool-aid.

More about the misinformation.

We have 17 separate experimental domains on GoDaddy. That SSL price tag (tax) is $1,173 per year. Most site owners are ignorant about what’s needed and trust GoDaddy to make recommendations and decisions. In the phone call, GoDaddy said, “As you know, Google now requires SSL.” As if to say, “It’s not our fault we have to ding you, it’s Google.” Credit card, please?

We’re digging in our heels. We loathe the pure absurdity of Herd Mentality.

It’s killing web speed.

A few extra thoughts: When someone tells us the sky is falling (you must have SSL), we always go, “Huh? We guess we missed that emergency.” Most of these events seem concocted and man-made. Exaggerated to cause a sense of panic. When we research the root cause, there exists a knee-jerk backlash overreaction to some anxiety-producing change. That “scare” grew disproportionately into a “web myth” – and then dogma.

This goes especially for promises of SSL security, SEO ranking, and performance speed. People are ripped off buying “promises of instant success and wealth.”

These panics – and ignorance – sell fear for profit, not actual results of helpful productivity. Scams prevail. In the case of SSL, we’re talking billions of dollars to fight a boogie man.

Panic gets people to act. So we approach these “web mandates”(propaganda?) with skepticism. We also don’t like bullies telling us there’s only one way to do things. Their way! Philosophical absolutism is rarely the real truth.

Why is Google so rabid about SSL shaming? They could just be flexing muscles to test their influence. They claim to favor web security. But they know SSL is full of holes and provides an opportunity for false user trust. Google says they also value and promote page speed. But SSL drags all sites by 500 milliseconds. Even Google knows that’s horrible.

MORE ONSITE READING
http://pagepipe.com/reduce-ssl-speed-for-easy-digital-downloads-plugin-and-paypal-transactions/

Godspeed—

Steve Teare
performance engineer

Mobile WordPress Speed – without coding!

What others think of us:


"Steve is straight-up, competent and insightful. Rather than ‘a one size fits all’ service, he identified solutions and priorities relevant to my unique situation. I respect his scrupulous and ethical approach. I commend him to anyone looking for unbiased and effective speed help." Prime Architecture New Zealand

- Paul King

Susty review: The lightest speed theme ever.
Tiny Hestia free WordPress theme: mobile speed review.