Making the Internet more secure isn’t easy; too often measures that would increase security are rejected because they slow things down. Web users would, it seems, rather see a site quickly but insecurely than wait for a secure connection.
Researchers at Google say they’ve come up with a way to set up secure connections 30 percent more quickly.
An application called SSL False Start decreases the load time of Secure Sockets Layer (SSL) connections. SSL provides the means to encrypt data between a web browser and server, but because connections are slow to set up, very few major websites have moved on to add permanent SSL/TLS protection to turn HTTP into the more secure HTTPS.
Following recent high-profile hacks of Facebook and Twitter, the option of permanent HTTPS has been added to these sites, and most financial sites insist on it, but far too many other sites let the user connect in an insecure way.
The Google researchers have added a feature to Chrome 9 that makes setting up secure connections more rapid. According to a post on the Chromium Blog, developers at Google have:
"implemented SSL False Start in Chrome 9, and the results are stunning, yielding a significant decrease in overall SSL connection setup times. SSL False Start reduces the latency of a SSL handshake by 30%."
Of course, adding features to a new product is easy; making sure the feature works no matter where it’s used is another matter. If current websites that use HTTPS don’t work with SSL False Start, the developers say, it wouldn’t be deployed. According to the blog post:
“we compiled a list of all known https websites from the Google index, and tested SSL FalseStart with all of them. The result of that test was encouraging: 94.6% succeeded, 5% timed out, and 0.4% failed. The sites that timed out were verified to be sites that are no longer running, so we could ignore them.”
The sites that failed were of more concern, but once sites that failed because of certificate failures or problems unrelated to FalseStart were ruled out, the list of problem sites came down to those that were using SSL from a handful of vendors. The Google team says most of the vendors have fixed the reason behind the problem, while the others have fixes in progress:
“The result is that today, we have a manageable, small list of domains where SSL FalseStart doesn’t work, and we’ve added them to a list within Chrome where we simply won’t use FalseStart.This list is public and posted in the Chromium source code."
A 30 percent reduction in connection setup time is good, but it’s still not perfect. The problem, as any developer who has dabbled with encryption will know only too well, remains both messy and processor hungry.
If you would like to be informed about new articles on I Programmer you can either follow us on Twitter or Facebook or you can subscribe to our weekly newsletter.