OPINION - HTTP versus HTTPS versus HTTP/2
This page was originally created on and last edited on .
It's long be understood that the performance impact of HTTPS is no longer a barrier to adoption for websites.
There's even a website https://www.httpvshttps.com/ which claims to show HTTPS loads significantly faster than HTTP. This is counter intuitive since there are undoubtedly some overheads to HTTPS, which is normally applied on top of HTTP. So each time this comes up, there's confused people asking how it can be.
Well the reason it's faster is not due to HTTPS but due to that fact it is using HTTP/2. Now it is mentioned at the bottom of the page, that "plaintext HTTP/1.1 is compared against encrypted HTTP/2 HTTPS" but it's not the most obvious. The aim of the page (I guess) is to show the best conditions for HTTP versus the best conditions for HTTPS and, as HTTP/2 is only supported by browsers under HTTPS, there is an argument to be made therefore that it is a fair comparison for that reason.
However I'm firmly in the camp that this is a bit disingenuous for a number of reasons:
- It's not made clear that it's not a like for like test with only difference being HTTPS, and in fact heavily implied that HTTPS is the reason it is faster when it's not.
- HTTP/2 also includes header compression so many requests like this will be smaller under HTTP/2 as full headers should not be sent each time. Again the improvement here will be more with lots of small resources like in the example.
- HTTPS does not automatically mean HTTP/2 even if the reverse is true. In fact, we may recently have taken a step back in HTTP/2 availability in the short term. It will take a while for HTTP/2 to be fully available in all common OS builds and web servers and until then saying HTTPS is the same as HTTP/2 doesn't fit well with me. Saying that CDNs like CloudFlare offer HTTP/2 now but they may not be for everybody.
- It ignores the small performance impact on initial connection to an HTTPS site as it only measure performance once the HTML is loaded. Now admittedly this difficult to accurately measure, especially since it can only really be measured once per session, and it is small (a few hundred milliseconds) but it is something people notice when moving from HTTP to HTTPS.
- There's just no reason to cheat like this! HTTPS and HTTP/2 are great technologies that have benefits that mean there should be used where at all possible. Adding fake reasons like this just clouds the issue and casts doubt over those reasons.
Now I don't mean this as a personal attack on that website, and it is a clever and well executed example of how HTTPS can be much faster than HTTP, but I just want a bit of greater transparency to that and would like to know the true impact of HTTPS both with and without HTTP/2 (which I expect to be an ever so slight slowdown - if it's even noticeable at all).
So in an attempt to give a true test, I've written a similar test to compare HTTPv1.1 with HTTPS (over HTTPv1.1) and then with HTTP/2 (which uses HTTPS). You can run this version of this test with a more realistic 36 images here. I've also created a version with all 360 images here.
I suggest you repeat the tests several times to get a sense of how long it takes, and you'll likely see something like this for the 36 image test:
And similarly something like this for the 360 image test:
What's immediately apparent is that HTTP is pretty similar to HTTPS. Occassionally it's faster, occasionally it's slower. Weirdly I see HTTPS slightly faster than HTTP more often than not. I'm not sure if this is just luck or some weird caching effect. Perhaps my web browser, network or web server handles HTTPS better, or perhaps it's just a coincidence. Either way the numbers are only a few percentage points apart so within a margin of error. Or perhaps HTTPS really is faster than HTTP :-)
So it really does look like HTTPS cause no noticeable performance impact for simple websites, as has been stated by most experts for some time now. This could of course vary if you are running really old hardware (on either the client or the server side) or have a website which deals with large volumes of traffic (e.g. video streaming), but for most of us we would struggle to notice the impact of HTTPS. There is a small impact of redirecting to HTTPS (which can be remediated with HSTS), and another small impact of negotiating the HTTPS session (which may be remediated with good set up of HTTPS and could even be further remediated when TLSv1.3 becomes mainstream). These are measurable if using tools like www.webpagetest.org but to most users they are not that noticeable and after the initial connection, there are no such delays. Over bad network connections (e.g. a poor mobile signal) these round trips will cause more issues, but at that point you've got pretty poor performance anyway.
The other obvious point is that HTTP/2 is much faster than either HTTP or HTTPS - even though it's only available over HTTPS for web browsers. This is what I felt was the misleading point of the https://www.httpvshttps.com/ website, since it was not HTTPS which caused the performance boast, but it really is quite impressive how much of a difference HTTP/2 makes - even on a smaller 36 image site. Of course the 360 image site is still an extreme example and you're not going to see a 91% improvement just by turning on HTTPS - even with HTTP/2 for most sites. However even the smaller 36 image site sees a huge 70% improvement on HTTP/2 - much more than I would have expected.
It's also impressive to see the download improvements under HTTP/2 due to header compression. In the 360 page the total page size is an identical 382kb in both HTTP and HTTPS but drops to an impressive 265kb for HTTP/2 - a 30% improvement!:
Now these images are small and most resources you load on a website will likely be larger, so the improvement due to header packing may be smaller because of that, but still good to see none-the-less.
HTTPS and HTTP/2 are two great technologies and all those running websites should be aware of them and look to implement them if they are not using them yet. My intention with looking and this was not to prove that HTTPS still has performance issues, nor to nitpick someone else's website, but more to get some like for like numbers to investigate the performance improvements shown by that site, which are not explained there.
HTTPS in particular is a well established technology now and with initiatives like Let's Encrypt it's never been easier or cheaper to get a HTTPS certificate for your website. There are many reasons to use HTTPS and it is going to become harder and harder to keep an HTTP only site as web browsers reserve features for HTTPS only sites. If you are not on HTTPS then you should look at it now. These tests prove the performance impact is not even noticeable for most sites. The move can be painful especially for larger sites with a lot of legacy code and pages, but this is a once off move and the earlier you start the better it will be.
HTTP/2 is not quite as well established or available just yet but that is changing rapidly. The HTTP/2 specification was only officially published in May of 2015 but with in a year nearly all web browsers support HTTP/2 and many web servers also support HTTP/2. HTTP/2 will be the future of the web and if you have the chance to use it then do - these tests prove how much faster it can be, without any changes to the website itself. You can check out my own post on how to set up HTTP/2 for Apache if you want more information on that.
Do you agree? Disagree? Let me know below your thoughts below.
Want to read more?
Further HTTP versus HTTPS versus HTTP/2
- My Book "HTTP/2 in Action" available in early access (1st chapter free!).
- Why do we need HTTP/2? - an excerpt from "HTTP/2 in Action".
- Still think you don't need HTTPS? - a great article by Scott Helme on benefits of HTTPS. Just ignore the first point :-)
- The tweet conversation that inspired me to make this page..
This page was originally created on and last edited on .Tweet