Title: The case for HTTPS: measuring overhead and impact of certificate authorities

Authors: Eric Chan-Tin; Rakesh Ravishankar

Addresses: Department of Computer Science, Loyola University Chicago, Chicago, IL, USA ' Computer Science Department, Oklahoma State University University, Stillwater, OK, USA

Abstract: The popularity of the web is indisputable. With revelations about mass surveillance, the use of secure web through TLS connections is needed for privacy. However, the pushback against enabling secure web connections by default is due to increase in communication time. We quantify the communication time for HTTP and HTTPS download times for the most popular websites. The average download time over a HTTP connection is 2.604 seconds while the average download time over a HTTPS connection is 2.937 seconds. The overhead in using encryption is 333 milliseconds (about three roundtrip times on the internet) or 333/2,604 = 12.78%. We thus make the case that HTTPS should be enabled by default due to the low communications overhead. With the recent hacks at certificate authorities, we also quantify which certificate authorities are most popular on the internet. By trusting ten certificate authorities, a web browser can access almost 80% of HTTPS websites.

Keywords: hyper text transfer protocol secure; HTTPS; certificate authorities; overhead; SSL; TLS; measurement; security; web.

DOI: 10.1504/IJSN.2018.095191

International Journal of Security and Networks, 2018 Vol.13 No.4, pp.261 - 269

Available online: 25 Sep 2018 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article