I was reading this blog(http://googlepublicpolicy.blogspot.com/2009/06/https-security-for-web-applications.html) posted by google on not enabling HTTPS for gmail by default. One of the paragraph says as below.
Unless there are negative effects on the user experience or it’s otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users. We’re also considering how to make this work best for other apps including Google Docs and Google Calendar (we offer free HTTPS for those apps as well).
I didn’t understand what negative effects can there be, by shifting over to HTTPS. Is there a benchmarking done on the peformance of HTTP and HTTPS.
I feel that https actually involves some additional protocol messages initially and data encryption later on. Can’t these issues be taken care by having SSL browser code to be loaded by default etc..
Thank you
Bala
The major cost of https is generally the key exchange at the start of the session, which is CPU intensive. Hardward acceleration is available to handle this. If it is an EV cert then it will also need revocation checking. Actual encryption of the stream is relatively cheap. Sun Niagara II has “zero overhead” encryption which uses spare FPU cycles to do the processing.