What is the overhead of using HTTPS compared to HTTP?

I was reading this blog(http://googlepublicpolicy.blogspot.com/2009/06/https-security-for-web-applications.html) posted by 开发者_StackOverflow社区google on not enabling HTTPS for gmail by default. One of the paragraph says as below.

Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users. We're also considering how to make this work best for other apps including Google Docs and Google Calendar (we offer free HTTPS for those apps as well).

I didn't understand what negative effects can there be, by shifting over to HTTPS. Is there a benchmarking done on the peformance of HTTP and HTTPS.

I feel that https actually involves some additional protocol messages initially and data encryption later on. Can't these issues be taken care by having SSL browser code to be loaded by default etc..

Thank you Bala

The major cost of https is generally the key exchange at the start of the session, which is CPU intensive. Hardward acceleration is available to handle this. If it is an EV cert then it will also need revocation checking. Actual encryption of the stream is relatively cheap. Sun Niagara II has "zero overhead" encryption which uses spare FPU cycles to do the processing.

The overhead of https is entirely in the key-negotiation phase during the start of the session. If the keys are set to expire in short order, they may need to be renegotiated frequently.

However, if you're living on 128-bit SSL (most common that I've seen), key generation and exchange is a very short process.

Try timing it from two machines on a network - one connecting on SSL, and the other on plaintext: it's in the single-digit percentages, and only truly noticeable at the beginning of the session.

Browser-based activity is almost always user-bound, not machine-bound.

With HTTPS all traffic between the user and the server hosting the information is encrypted to be seen only by the user and the server. This makes it very difficult for a man in the middle attack. This requires additional resources on both sides to interpret what is being communicated.

Typically on high demand servers on HTTPS there is a limit to what sections of the site uses SSL or there are encryption cards that offload the encryption process.