SSL Connection Latency in China
Tuesday, 20 December 2016In the past, we consider that the HTTPS connections are much slower than non-encrypted HTTP connections. While the encrypted connections are so crucial to the eCommerce websites/ APPs that many companies now have set HTTPS as their default connection type. In this article we will discuss the SSL latency in the context of Chinese Internet.
A very practical method to measure the difference between HTTPS and HTTP connections is using the curl tool with parameter "w". For example, by carrying out the following command we could calculate the exact time difference when initiating the SSL handshakes from local machine to CNUK.COM:
$ curl -w "TCP handshake: %{time_connect}, SSL handshake: %{time_appconnect}\n" -so /dev/null https://www.cnuk.com
We ran the above command in Google hosting infrastructure and get the output below:
TCP handshake: 0.137, SSL handshake: 0.249
Result from another node in North Amarica, acceptable delay:
TCP handshake: 0.244, SSL handshake: 0.654
Meanwhile we carried out the same operation on a China-hosted machine, a significant delay:
TCP handshake: 1.940, SSL handshake: 2.646
We will talk about the general web hosting in separate post, please note the extra handshake time added by SSL connection which can take up to 3-5 seconds in China if you are using a SSL cert from foreign Certificate Authority (CA). In our case, CNUK.COM uses SSL cert from Let's Encrypt Authority. From the user experience aspect, 3-5 seconds of SSL handshake time is not satisfactory at all, this hasn't included the DNS/ webhosting delay yet.
There are several ways to optimise the HTTPs connection, from the level of cert encryption (1024/ 2048/ 4096) to the configuration of web servers, as well as the selection of CA.
Technically, WoSign (沃通) as a local Chinese CA, could have been in the best position to provide fastest SSL connections for clients in China, and its products have already been widely used in China. However, there has been a debate recently regarding security concern on WoSign's products and its business cooperation with StartCom. Information can be found on Mozilla Forum and elsewhere. It's recommended to keep observing how things are going and make the decision.
Labels: optimisation, security, tech
Posted by Guoyu @ 14:05,
