Analysis of Https Overhead and Minimal Web Certificate Chain of Trust

Abstract

The popularity of the web is indisputable. With the recent revelations about NSA spying and the increased need for privacy and security, the default use of secure web through TLS/SSL connections has been highlighted. However, the push back against enabling secure web connections by default is due to the increase in communication and processing time.In this work, we quantify the communication time for http and https download times for the most popular websites. The average download time over http non-persistent connection is 2.72 seconds while the average download time over https non-persistent connection is 3.156 seconds. The overhead in using encryption is thus only 436 milliseconds (about 4 round trip times on the Internet) or 16.1% for non-persistent connections. And for persistent connections the overhead is 15%. We thus make the case that https should be enabled by default due to the very low communications overhead. With the recent hacks and breaches at various certificate authorities and no-longer-trusted certificate authorities, we also quantified which certificate authorities are most popular on the Internet. By only trusting ten certificate authorities, a webbrowser can access almost 80% of https-enabled websites. The number of trusted certificate authorities can thus be reduced from thousands to a few dozen.