So often it feels like we’re living in an either/or world. Either you can eat a delicious dinner, or you can eat a healthy one. Either you can go see a movie you want to see, or a movie your spouse wants to see. Either you can spend a boring weekend drinking nothing stronger than herbal tea, or you can call your uncle to bail you out after a drunk and disorderly arrest. There just doesn’t seem to be a way to have it all.
Fortunately, your website is not one of us mere mortals constrained by the either/or traps we tend to fall into. While there was a time when you would have had to choose between having a website with fast page load times or a website with secured communications, these days when it comes to speed and security, your website can have it all.

The basic handshake
In order to understand how to make a website both fast and secure, you have to grasp the basics of the interaction that occurs between a user’s browser and the average website’s server. When a person visits a website, what’s called the transmission control protocol (TCP) handshake occurs. In it, the browser sends a connection request to the server. The server accepts the request, and sends an acknowledgment in return. This very polite process ends with the browser receiving this acknowledgment, and sending an acknowledgment in response.

The time it takes to complete the TCP handshake is considered a website’s round trip time. Round trip time is a major factor in your website’s page load time, and it becomes an even bigger deal when encryption enters the picture.

Adding security
The problem with the TCP handshake is that it is possible for an attacker to position him or herself between the browser and the server, becoming the man in the middle in what is known as a man in the middle attack and ‘eavesdropping’ on these communications.

When this occurs with the average website that you go to in order to look at pictures of cats, it doesn’t matter. But on websites where users should expect their information to be protected – meaning any website where information such as addresses, financial details, login names, email addresses or passwords are entered – the man in the middle absolutely cannot have access to that information.

The solution for a website that needs to offer secure communications between browsers and its servers is encryption. When the information being sent back and forth is encrypted, all a man in the middle is going to see is basically a garbled mess of cryptographic code.

In order to add encryption to a website, the owner will use what’s called secure sockets layer protocol, or SSL. (The current protocol is actually called transport layer security, or TLS, but most still use the name of the protocol TLS replaced, which is SSL.) SSL puts a few extra steps in that TCP handshake, adding in an agreement between browser and server on a method of encryption as well as a process of mutual verification, and then the generation of encryption keys.

The inherent drawback to encryption
It’s a basic principle: add more steps to a process and it’s going to take longer. A browser connecting to an encrypted website will likely take three round trips instead of the one required for the TCP handshake. So if there’s already lag in a website’s round trip time, go ahead and multiply that by three for every single visitor.

When you talk website speed you’re often talking in terms of milliseconds and seconds, but unfortunately that doesn’t make these slowdowns insignificant. Internet users are finicky about speed, with 60% of online shoppers only willing to give a page five seconds to load and an even fussier 27% only willing to wait three seconds. There are just too many websites competing for business for someone to spend much time waiting on a page to load.

Addressing the need for speed
There’s no way to cut corners when it comes to the encryption process. Either your website encrypts the data being sent to and from a user’s browser using all the steps needed by SSL, or it doesn’t offer encryption. And if there’s any sort of personal information being input on your website, it has to be encrypted. Not using SSL would be beyond negligent.

Fortunately an encrypted website with fast page load times as well as excellent performance and reliability can be achieved through the use of a content delivery network, or CDN, which is a global network of cache servers designed to deliver your website’s content to users as quickly as possible. By directing users to the server located closest to them, a CDN cuts down on how far data has to travel, which cuts down on that round trip time. And as CDN provider Imperva Incapsula points out, since the SSL handshake takes three round trips, the time saved in a round trip is multiplied by three for users of an encrypted website.

It’s important to note that in order for a content delivery network to most effectively speed up the SSL handshake, you need to have the keep alive function enabled. The keep alive function will maintain an open connection between the CDN and the origin server even between user sessions to avoid having to restart the SSL encryption negotiation process. So long as your website is being visited every few minutes, all of your users will benefit from a significantly reduced handshake time.

With SSL and a CDN your secure but still speedy website can be a shining example to all of us who have struggled to incorporate the best of both worlds into our lives. May we boldly go forward and find a way to make carrot cake count as a serving of vegetables.

(Naomi Webb is a freelance writer specializing in the latest technology trends)

Tags : SSL, CDN, Secure Website