Disappointment Over Speeding up SSL

April 23, 2012 by Jon Callas     No Comments

A year and a half ago, Google started an experiment to speed up SSL by 30% by using an improvement called False Start. Our own Bruce Morton wrote about it not once but twice, and most of the world has been hopeful about the experiment. What’s not to like about a 30% speed improvement?Google_logo

Sadly, Adam Langley has said that he is declaring the experiment a failure. The problem is that it doesn’t work well on some sites, not without a fix to the SSL code on these sites. The problematic sites seems to be all protective gateways that proxy a connection from front-edge servers to ones in the back of a network. He hypothesizes that these sites are reading and writing on separate threads and that this is causing problems with False Start. They tried explicitly noting who had problems and just not doing it there, but that hasn’t panned out.

Langley believes that the fix is easy on the server end, and that the people who aren’t fixing it aren’t being obstinate, they just likely don’t have someone who is expert in their SSL code any more. They’re now limiting its use solely to sites that have implemented the Next Protocol Negotiation extension.

This is a real pity. We need more sites using SSL, and it’s always better to get SSL faster, as that means more people will use SSL.

Jon Callas


Jon Callas has over 30 years of experience and served as Entrust’s Chief Technology Officer. Prior to joining Entrust, Callas co-founded PGP Corporation which specialized in email and data encryption software. Over the course of more than fifteen years, Callas held leadership functions including CTO and CSO. Most recently, he also served as an operating system security expert with Apple. Additionally, he has held leadership positions with corporations including Wave Systems Corporation, Digital Equipment Corporation and Counterpane Internet Security Inc. He has also authored several Internet Engineering Task Force (IETF) standards including OpenPGP, DKIM, and ZRTP.

Add to the Conversation