HTTPS

HTTPS Performance

 NOTE

This article is targeted at system administrators and those who are responsible for Sana web store and server maintenance.

Although, HTTPS brings additional computational and networking overhead to the client-server communication, the effect of it is negligible and should not be considered over security and safety of users and their data.

Moreover, there are some techniques which can improve HTTPS performance. See a few examples below.

HTTP/2

HTTP/2 is a major revision of the HTTP network protocol. The primary goals for HTTP/2 are to reduce latency by enabling full request and response multiplexing, minimize protocol overhead via efficient compression of the HTTP header fields, and add support for request prioritization and server push.

HTTP/2 is supported by default on Windows Server 2016 and Windows 10 with IIS 10 and TLS 1.2.

For more information, see "HTTP/2 on IIS" and "Turn-on HTTP/2 today!".

TLS False Start

Check that ALPN and robust Forward Secrecy with a strong key exchange are enabled. This will allow Web browsers to use a False Start technique.

False Start is a TLS protocol extension that allows the client and server to start transmitting encrypted application data when the handshake is only partially complete. This optimization reduces handshake overhead for new TLS connections to one roundtrip.

For more information, see "Optimizing for TLS".

ECC Certificates

Consider ordering an Elliptic Curve Cryptography (ECC) certificate to use it with your web store. Before ordering an ECC SSL certificate, make sure that your environment is compatible with ECC SSL certificates.

RSA is currently the industry standard for public-key cryptography and is used in the majority of SSL/TLS certificates. As an alternative, Elliptic Curve Cryptography (ECC) uses a different approach to encryption than RSA. ECC uses a smaller algorithm to generate keys that are exponentially stronger than RSA keys. The smaller algorithm means less data is being verified between the server and the client, which translates to increased network performance. This is especially important for websites that experience a high level of traffic.

For more information, see "Understanding ECC in 5 Minutes", "Browsers' compatibility with ECC SSL certificates" and "Microsoft Servers: Create ECC CSR and Install ECC SSL Certificate".

ECC Cipher Suites

Enable ECC cipher suites in your system containing ECDHE and ECDSA.

A cipher suite is a set of algorithms that help secure a network connection that uses TLS/SSL. Cipher suites are used to coordinate between a client and server on which security algorithms to use when sending and receiving information from each other when using TLS/SSL. Using a TLS connection without a cipher suite would result in the data being sent without encryption, authentication, and key exchange algorithms. Cipher suites are used wherever a TLS/SSL connection exists.

For more information, see "Security/Server Side TLS".

Session Resumption

You may want to configure TLS session resumption via session tickets on your Web server to reduce TLS handshake roundtrips. Session resumption is one of the most important mechanism to improve TLS performance. Session tickets are used to resume TLS sessions by storing key material encrypted on the clients. In TLS 1.2 they speed up the handshake from two to one roundtrip.

Take into account that IIS has an issue with session tickets which is considered a vulnerability by Qualys' SSL Labs test. The test gives the following result when session tickets are enabled: "Ticketbleed (vulnerability) - not detected, but similar bug detected (more info)". Thus, we recommend to sacrifice some performance in favor of security and do not enable session tickets until this issue is fixed by Microsoft.

For more information, see "TLS Session Resumption".