Making Secure Sites Load Faster

SSL Performance

We recently announced a collaboration with CloudFlare to speed up how SSL performs on the Web. Both CloudFlare's CEO Matthew Prince and GlobalSign's CTO Ryan Hurst delve into the more technical detail in their respective blog posts, but to summarise... whenever a browser connects to a secure site, it goes something like:

Browser: Hello. I'd like to connect to you securely over SSL, can I have your SSL Certificate please?
Server: Sure, here you go.
Browser: Thanks, I see you have a Certificate issued by GlobalSign. Hold on while I check with GlobalSign if this Certificate is valid.
Browser: Hello GlobalSign. Can you confirm the validity status of this Certificate?
GlobalSign: Sure, hold on...yes that one is fine, we've not revoked it.
Browser: Ok, GlobalSign confirmed. Send me the page content and I'll load it now.

Typically this 'handshake' (called an OCSP response) will take around 500ms depending on the efficiency of the CA's infrastructure and where the user is physically based in relation to the CA. This may not sound like much, but talk to anyone involved in online marketing and SEO, and they'll tell you that every millisecond counts. The longer you keep someone waiting, the more likely it is they'll lose interest and navigate away. Site speed is of paramount importance, and in the case of using SSL, the page will remain blank and the website content unrendered until the handshake is complete.

We want to see SSL used in more places, across entire sites. But 500ms is a long time to make people wait. How can we expect website owners to think about employing always-on-SSL to use SSL across every page on their website if their dependency on the CA slows down the user experience? That's where our collaboration with CloudFlare comes in. CloudFlare knows a lot about performance. In their mission to #savetheweb, they speed up a huge chunk of it and speed up the browsing experiences for hundreds of millions of people every day. The company is also a long time partner of GlobalSign and nothing makes the CloudFlare guys happier than applying their performance knowledge to new applications. So that's exactly the problem that Ryan, Matthew and team set to solve - OCSP responses take too long, let's speed them up and make GlobalSign's responses the fastest on the Web.

And that's exactly what we did. By working with CloudFlare to utilise their global infrastructure to deliver Certificate status requests, GlobalSign OCSP responses have been accelerated to around 50ms (or 1/20th of a second). Geographic delays are practically removed, which for a truly global CA, is very important for our customers.

A quick waterfall analysis of shows exactly what we've done.


The purple bars are the SSL handshakes. You can see that the longest SSL handshakes come from pulling in JSAPI from Google and a Flash file from Amazon CloudFront, showing that even the largest, most sophisticated networks on the Web are dependent on their SSL provider's OCSP speed (obvious disclaimer, neither Google or Amazon uses GlobalSign SSL, maybe they should). Compare that with GlobalSign's OCSP response for our own domain, and it's lightning fast in comparison.

We're proud to be the first CA to successfully achieve anything even remotely like this, and we suspect our peers will follow suit in coming months. Whereas we'll enjoy the competitive advantage for the near-term, we will be happy to see SSL get faster for everyone that relies on the technology for a secure browsing experience, and hopefully more ubiquitously used across entire sites.

See also:
A quick look at SSL performance:
What is the status of revocation checking in browsers?