HTTPS: is security worth the performance penalty?
#What is HTTPS?
Let me ask you a few questions before answering that. Have you ever wondered how a message that you write on your PC can reach someone from the other side of the planet when using an instant messaging service? Have you ever wondered what happens to it once it exits through your internet cable? The answer is not very complex and is somewhat similar to explaining someone how international mail works. Once you have the mail written, you give it to an organization with a huge amount of connections that then finds another organization like it in order to shorten the distance to the mail’s final destination until it actually reaches it. The internet works in a very similar way with a gigantic amount of interconnected computers that receive and send your messages until they finally reach their destination.
#What does mail have to do with HTTPS?
Well, mail is passed through many hands, so there may be quite a few eyeballs interested in aiming towards your sensitive and personal verbal substance. In the case of mail, the seal-bearing envelope was used to offer at least some kind of alleviation to the privacy problem by proving that a mail was not tampered with. When it comes to digital information, however, you cannot simply wrap a message in a digital envelope because opening a digital message does not alter it in any kind of way, and the middleman that’s supposed to further it can make a virtually unlimited amount of perfect copies without breaking a sweat. Digital data had to be safe, which is why we’re using encryption to send it through insecure networks.
#So encryption is like a secure seal?
Yes, but while a seal can be shamelessly broken, encryption is nigh impossible to break. HTTPS (HTTP Secure) uses it to make sure that everything you send through this protocol can only be decrypted by the person that’s supposed to receive the message. To make this work, only the communicating parties should know how the message was encrypted and no one else. Today, after so many years of research in the field of cryptography, we use certified encryption algorithms that are virtually impossible to crack. They use unique keys–which are nothing more than short strings of characters–to make every encryption unique and exceptionally hard to decrypt without the exact key that it was originally encrypted with. As a lot of these message exchanges happen at very large distances, selecting a key had to be done through the same insecure networks. Obviously, sending the key would not work as anyone would be able to decrypt the subsequent messages. The solution to this was to send just a hint through the insecure network that only the receiving party would be able to understand. This would work in a very similar fashion to the sly-but-feeble face expression that only your best friend would understand out of all those people at the party you’re at. This is, in a very coarse way, what is called a digital handshake. It, combined with the complete encryption of all requests and responses, comprises the biggest part of HTTPS, i.e. making sure only you and the server understand each other’s messages.
#Okay, but what if there’s someone impersonating someone on the internet?
HTTPS has you covered. Let me illustrate: in the case of ordinary mail, the recipient is a trusted, known person that you most probably met in real life. The internet, on the other hand, works in a totally different way. To solve the trust issues, HTTPS uses something called certificates. Big internet companies that are trusted by your browser/OS combination offer certificates to websites that are willing to pay for them. They are practically impossible to forge and offer basic information about the website you are trying to access, information that has been thoroughly inspected by the issuing company, and which is guaranteed by the same company to be accurate until the expiry date of the certificate. In case of tampering, use of someone else’s certificate, forgery, or even them being issued by shady, not trusted companies, your browser will warn you that although you have a secure connection with the website, that website is pretending to be someone else and might want to steal your information.
So, in just a few words, HTTPS makes sure the website you’re trying to access is a real company/person with no malign intentions and that all the information you exchange with this online body is kept strictly between the two of you unless one party decides to share it with the world.
#Sounds neat, but what’s this performance issue that I’ve been hearing about?
If you’re considering to change from HTTP to HTTPS, this is what you have to bear in mind apart from the obvious security enhancement:
- Credibility: The credibility of the site increases with the help of certificates, which may also increase click rate on search engine results pages (SERP).
- Page views: The number of visitors can also increase due to the added security and certification, but there is no formula to prove it.
- Google SEO boost: Google presumably improves the SEO performance of secure websites.
- Speed: The key handshake takes time and will inevitably increase the response time.
- SSL Certificate: You need to pay for the certificate, but the price is not so high ( June 2016 edit: we are currently using Let’s Encrypt, which generates free HTTPS certificates). (about $9/year)
- Ad income: There are fewer ads running on HTTPS, so you might notice a slight decrease in your ad revenue.
- Social links: All social shares are reset because the links are different. This obviously won’t affect new posts.
- WordPress issues: Some plugins/themes may not be fully compatible with HTTPS which means that you will need to work on fixes.
So, is HTTPS worth it? If you care about your reader’s privacy and security, it is. But this question is not quite as easy to answer. Maybe your website does not transfer any sensitive data? Maybe you need the highest speed? Maybe you have a simple, static website? Whether or not the change is useful is ultimately up to you.
Smart Managed WordPress Hosting
Presslabs provides high-performance hosting and business intelligence for the WordPress sites you care about.