Web Admin I am Not… yet

I threw myself into an argument I started about SSL and TCP at work over the past couple days.

It all started when I asked the networking guy to look into why downloads from an https web app weren’t going as fast as the customer wanted. I ruled out internal CPU/RAM/Disk bottlenecks, and any testing from within the data center was amazingly fast – it was only the connection point between the server and the outside world that seemed to be slow. The network guy said “It’s because it’s HTTPS and this is expected”

I made the unfortunate assumption that calling out HTTPS implied that an HTTP connection would have no problems at all. A coworker threw out a bunch of math related to TCP and latency. This threw me down quite the rabbit hole of what kind of overhead SSL has, but at least I learned a lot on the way. Some of it seems rather elementary, but having it reinforced helps my confidence, putting me in a better position to win this argument.

  • An established TCP connection does not wait for each packet to be acknowledged before sending the next. Each bit of data gets numbered sequentially as it goes out. If it’s not arriving in order, the data is buffered until it gets the next pack in the sequence. And if the source doesn’t receive acknowledgements in a timely fashion, it will throttle its send rate until it does
  • The SSL performance hit is mostly in the CPU on the server for encryption. Even that is mitigated depending on the algorithm being used and the CPU features. There is a latency hit while an SSL handshake is established but after that the network adapter should be sweeping any other noticeable overhead under the carpet.
  • Fiddler┬áis a great tool for looking at what’s going on with your website communication. I used it to show that an SSL handshake is only happening once when downloading a single large file.
  • Satellite and cellular networks have a lot of cool tricks up their sleeves to get better throughput. For example, they will put CRC checks for the previous TCP packet into the current one to make validation quicker. Or they’ll use a gateway to pre-fetch content on your behalf, bringing it closer to you and reducing the latency
  • There are straightforward formulas for calculating max TCP throughput. There are no such formulas for HTTPS over TCP throughput