Researchers quantify the 'S' in HTTPS

​What value can be placed on the letter 'S'? If it's the 'S' in HTTPS, it could equate to a loss of productivity due to increased latency, greater battery drain for certain connected devices, and the loss of in-network value-added services, according to new research.
Written by Leon Spencer, Contributor

Researchers from Pittsburgh's Carnegie Mellon University, Polytechnic University di Torino in Italy, and the research and development arm of Spain's Telefónica Group have published a paper investigating the impacts of HTTPS use for industry and web users.

The paper, The Cost of the "S" in HTTPS (PDF), was presented at ACM CoNEXT in Sydney, and suggests that while the use of HTTPS is increasing due to mounting security concerns, it could result in more latency online, greater battery drain for some connected devices, and the loss of in-network value-added services.

The paper asserts that HTTPS "does not come for free", with the researchers saying that HTTPS "may introduce overhead in terms of infrastructure costs, communication latency, data usage, and energy consumption".

The encryption offered by an HTTPS address may protect information from "man-in-the-middle" attacks, but that same functionality can hamper the application of "middlebox" network appliances, such as firewalls.

"Given the opaqueness of the encrypted communication, any in-network value added services requiring visibility into application layer content, such as caches and virus scanners, become ineffective," the paper said. "Most in-network services simply cannot function on encrypted data."

However, it also stressed that the "impact of these 'lost opportunities' is not clear".

Not only can the deployment of HTTPS make it hard to provide in-network services to users, it can also impact latency and data usage in certain circumstances.

"HTTPS requires an additional handshake between the client and the server in addition to the added computational cost of cryptographic operations," the paper said. "The benchmark shows that using HTTPS significantly increases load time.

"The extra latency introduced by HTTPS is not negligible, especially in a world where one second could cost $1.6 billion in sales," it said.

Battery life in certain devices could also be affected by the deployment of HTTPS, with the researchers suggesting that while the protocol's cryptographic operations don't have a direct impact on battery life in devices such as smartphones and tablets, the loss of proxies can "significantly impact battery life".

"It is immediately clear that energy consumption is strongly correlated to download time; this is not surprising, as leaving the radio powered up is costly," the paper said. "HTTPS has the potential to negatively impact battery life (particularly on mobile devices) due to the extra CPU time required for the cryptographic operations, and increased radio uptime due to longer downloads."

According to the paper, half of web traffic is now secure, and includes "large content" such as video streaming flows, with 50 percent of YouTube videos now going out over HTTPS.

"As of September 2014, as much as 50 percent of YouTube's aggregate traffic volume is carried over HTTPS," it said. "HTTPS accounts for 80 percent of the upload volume in 2014; it was only 45.7 percent in 2012."

While the deployment of HTTPS is rapidly rising, the researchers suggested that the cost of deploying the protocol is going down. It also suggested some likely solutions to overcome the stumbling blocks identified in the research.

"The 'S' is here to stay, and the network community needs to work to mitigate the negative repercussions of ubiquitous encryption," the paper said. "To this end, we see two parallel avenues of future work: First, low-level protocol enhancements to shrink the performance gap, like Google's ongoing efforts to achieve '0-RTT' handshakes.

"Second, to restore in-network middlebox functionality to HTTPS sessions, we expect to see trusted proxies become an important part of the internet ecosystem," it said.

Editorial standards