While SSL/TLS encryption improves the security of the web, there are trade-offs in terms of performance.
The secure connection uses a handshake process to establish a connection that introduces latency.
CDNs help fix these issues and improve the performance of SSL/TLS in a few ways:
It Reduces Latency with Edge Servers
SSL/TLS handshakes require a round-trip between the client and server. For users that are much further from the origin server, the number of round-trip trips can cause noticeable latency. CDNs have SSL-enabled edge servers configured, very close to the end-user.
When users make a secure connection, both the handshake and content are transferred by the nearest edge server. This drastically reduces latency and improves load times.
For example, a user in Tokyo is accessing a website hosted in New York. Without a CDN, the user will experience many delays due to the physical distance.
With CDN, the user has the SSL/TLS handshake with the Tokyo edge server, and the content is also sent back by a Tokyo edge server. Overall, it will be a great experience.
SSL Session Reuse and Session Resumption
To mitigate the computational burden of completing the entire SSL/TLS handshake process, CDNs typically make use of SSL session reuse or session resumption.
This way, clients and servers can continue encrypted sessions without renegotiating all of the parameters. This is especially advantageous for repeat visitors or users who access multiple secure assets from the same domain.
As an intermediary for users and servers, CDNs cache session information and manage TLS handshakes intelligently across millions of requests, providing benefits with respect to performance and CPU utilization on both the client-side and server-side.
TLS False Start and 0-RTT Resumption
Modern CDNs are aware of, and deploy, many performance-based features related to SSL/TLS, e.g., TLS False Start and 0-RTT (Zero Round Trip Time) Resumption.
TLS False Start allows the sending of data before finishing the handshake, and removes milliseconds from each connection. 0-RTT Resumption (which is available in TLS 1.3), allows clients to immediately send encrypted data using parameters from a previous session.
0-RTT does present some security risks to applications (such as replay attacks), but usually CDNs implement it with additional security mechanisms that provide speed with some measure of protection.
Better Certificate Management
CDNs will take the complexity of SSL certificate deployment and management out of your hands. With a CDN service, you have the option for automatic certificate provisioning through Certificate Authorities (CAs), as well as some advanced capabilities such as:
- OCSP Stapling - The CDN will respond to an OCSP request by providing the certificate revocation status, thus removing the necessity to call the CA and optimizing SSL handshake times.
- Server Name Indication (SNI) - CDNs allow the use of multiple SSL certificates on a single IP, thus improving scalability.
- Wildcard and SAN certificates - The need for Wildcard SSL certificates across a number of subdomains and multi-domain configurations can be reduced.
Support for HTTP/2 and HTTP/3
Older versions of protocols like HTTP/1.1 or older are less equipped to provide performance benefits than the newer HTTP/2 and HTTP/3.
When combined with SSL/TLS (which offers great performance benefits), HTTP/2 gains performance increases through multiplexing, while both HTTP/2 and HTTP/3 can reduce latency and use only one connection without head-of-line blocking (HTTP/2).
HTTP/3, built on top of QUIC, utilizes UDP to provide a faster and higher-performance connection that is also more reliable in mobile or lossy environments.
Most CDNs allow it to run HTTP/2 or HTTP/3 by default, so encrypted traffic flows using these methods, which provide speed for the CDN service.
Additionally, since HTTP/1.1, HTTP/2, and HTTP/3 can only run over encrypted channels (TLS/SSL), this allows these protocols to align even more with SSL/TLS to improve overall performance.
Reference
What is SSL and CDN? How CDNs Improve SSL / TLS Performance?
Top comments (0)