Best Practice: SSL vs Speed

masoninthesis · November 24, 2015, 3:18am

Hey guys,
I just added an SSL to https://jackalopemedia.com

I just ran a speed test and noticed the SSL seems to have doubled my load time. (About 200ms to 500ms DOM).

I’m thinking I should probably just setup the SSL to go on a subdomain (something like billing.jackalopemedia.com). That way I can use stripe for billing(or anything), but not sacrifice load times on my blog/Adwords pages (which will be on the primary domain.)

This is all assuming there’s not an easier/better method for speeding it up. I know 300ms+ isn’t relatively that much, but it’s high priority to me).

Thanks for any advice!

Edit: btw, if anyone down the road needs help setting up an SSL, I somehow magically figured it out using this process.

swalkinshaw · November 24, 2015, 4:08am

HTTPS has a cost but it’s becoming less and less and more important at the same time. Trellis is optimized to the best SSL/TLS performance you can get including SPDY, SSL cache, longer timeouts, etc. Once we integrate HTTP/2 it will be even better.

I suggest just keeping it for now

Keep in mind that it’s potentially insecure to only have SSL on a subdomain especially if you share cookies between them. That’s why HSTS is great with includeSubdomains which is the Trellis default. See https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

clov3rly · December 8, 2015, 4:57pm

I like to chime in on the SSL topic whenever I see it raised. While the security deal is really important, I’m frequently unable to access ANY https:// sites on my home (satellite) internet. Something about the high latency in inclement weather causes the handshake to time out. So I can access google via http://www.google.com/?nord=1, but can’t use the secure version.

Obviously it’s not a great solution, sending all that personal info in the clear… but when the choice is that or nothing, I know which choice I make every time.

Hopefully it will get better over time… but for now, I’m sure I’m not the only one who would (sometimes) be unable to visit your site at all. Then again, I work in town with high speed internet, which is when I’d be visiting your site anyway… so probably a non-issue.

Just like people to be aware that there IS a downside to SSL, and it frustrates me on the regular.