Securing the Internet is no easy task but Google researchers think they have taken a step closer this week with a program called SSL False Start that decreases the load time of SSL connections up to 30%.
Secure Sockets Layer (SSL) is a certification that encrypts data between an end-users’ browser and the server. It is a headache to implement and increases connection latency and only a few of the major sites on the Web have instituted “always on” SSL/TLS protection on top of HTTP to create the more secure HTTPS. While SSL False Start is a good step in creating a safer Internet, it is not the cure for all SSL woes. But, it does look like a step in the right direction.
Google developers wrote on the Chromium Blog, “We implemented SSL False Start in Chrome 9, and the results are stunning, yielding a significant decrease in overall SSL connection setup times. SSL False Start reduces the latency of a SSL handshake by 30%.”
The developers were concerned that False Start would not be backwards compatible and that if it affected “user experience for even a small fraction of users, the optimization is non-deployable.” So they tested it out by finding every site that uses HTTPS in Google’s index and it came away with a 94.6% success rate, with 5% timing out and .4% failing. The time-outs turned up as sites that were no longer in service. The developers contacted the domains that failed and said that most have fixed the issue that made False Start fail. The list of sites that are not compatible with False Start is located in the Chromium source code.
The Electronic Frontier Foundation and Access have teamed up on a campaign called “HTTPS Now” that aims to secure the Internet. Yet, with SSL and encryption still a messy and expensive process, it could be a while before the EFF reaches its goal.
“There is no consistent library for implementing SSL in the browser,” said Tom Bridge, a partner at Technolutionary, a technical services firm. “Firefox, Safari, IE, Chrome, they all use different processes for handling the SSL handshake. Encryption is still a heavy-math process, something that requires both RAM and processor time.”
After some high-profile hacks, including Mark Zuckerberg’s own profile, Twitter and Facebook have offered users options in their profile settings to always use HTTPS. Most of the major email clients use HTTPS as well.