14 DAY TRIAL // The latest versions of Google Chrome come with a feature that makes SSL connections faster by simplifying the handshake between browsers and Web servers.
Dubbed False Start, the technique was developed at Google and is described as an optional behavior of TLS implementations.
By default, for a SSL/TLS connection to be established, the client and server authenticate in a process known as a handshake.
This procedure involves exchanging a series of requests and responses, which ends with the client and server saying "done" to each other before the actual data transfer is initiated.
“[...] This waiting-for-done is unnecessary, and the SSL researchers have discovered that we can remove one round trip from the process and allow the client to start sending data immediately after it is done,” Google programmer Mike Belshe explains.
The time saved as a result of this is about one tenth of a second, 83ms to be more exact. But in practice two or three handshakes are performed when accessing HTTPS pages, because content is loaded from multiple servers. This brings the total time saved to 249ms.
This speed advantage is important in light of the security community calling for full-session HTTPS support on the most popular websites.
Tools like the Firesheep Firefox extension have demonstrated how easy it is to pull off man-in-the-middle (MitM) attacks and compromise the online accounts of people using insecure wireless networks in public places like airports, libraries, fast food restaurants and so on.
The attacks, known as session hijacking, involve sniffing network traffic to capture the so called session cookies used to authenticate users. But establishing a secure encrypted connection with a website makes it impossible for these to be compromised.
At the moment, there are very few large and non-banking or ecommerce related websites that offer full-session HTTPS by default. Gmail is one of them.
It is, therefore, no wonder that Google is looking at ways to speed things up, which is one of the things that have kept webmasters away from this technology.
Chrome is currently the only browser implementing the False Start feature, but there is one problem. It doesn’t work with a small percentage of sites, about 0.05%.
To address this issue, Chrome developers maintain a blacklist of websites where the technology doesn't work. The list currently has around 5,000 sites and Google plans to contact their owners and advise them on how to fix the problem.
Hopefully, Google’s efforts to drive HTTPS adoption forward by serving as example to both webmasters, through its HTTPS-capable services, and browser developers, with features like False Start, will eventually pay off and we will have a safer Web.