How we reduced TLS connection time by more than half on freistilbox

Published 2022-07-04 by Jochen Lillich

TLS encryption has become an indispensable security feature on the web, but it comes with additional overhead. A recent update to the freistilbox edge routers reduced the time it takes to establish a TLS connection by almost 66%.

TLS certificates issued by trusted authorities give end users the confidence that the website with which they’re exchanging information is legitimate. And thanks to certificate authorities (CA) like Let’s Encrypt, today every website owner can afford creating a high level of trust for their visitors.

There’s still a price to this added security, though. To ensure the authenticity of TLS certificates at every time, it must be possible to invalidate a certificate before its original expiry time, for example if it is discovered to have been created under false pretenses. For that purpose, each certificate authority maintains a certificate revocation list (CRL). When an end user visits a website and is presented with a TLS certificate, their browser will determine the CA that issued it and request its status using OCSP, the “Online Certificate Status Protocol”. If the certificate is listed as revoked, the browser will then warn the user of this security issue instead of displaying the website’s content. The downside to this extra security measure is that it adds a few hundred milliseconds to the time it takes to set up the initial connection to the website. This can have a negative impact on both the user experience and the search engine ranking of a website.

If a website taxes the patience of its visitors with slow content delivery, it risks losing them. Therefore, any measure we can take to reduce the waiting time for end users is a worthwhile optimization.

And because speed is such an important part of the overall user experience, there’s another type of visitor we need to take into account. In addition to human users, websites are also visited by software bots, most importantly search engine crawlers. And these bots are even more sensitive to content delivery performance than humans. One aspect that can factor into a website’s search engine ranking is the time-to-first-byte (TTFB), the time it takes a website from receiving a web request to actually sending back web content. Unfortunately, OCSP requests that happen during the TLS connection setup can prolong the TTFB significantly.

With a recent change to our edge routers, we’ve solved this problem for freistilbox customers. The solution is, as so often in web performance optimization, based on caching. Our customers already love freistilbox for its content caching service that avoids unnecessary page rendering and is expertly tuned for Drupal and WordPress. The content cache stores and serves content with maximum performance for as long as the website allows before it has to fetch an update from the web application again. But before a request can reach the content cache, it first needs to pass one of the freistilbox edge routers. The main purpose of the freistilbox edge router service is handling TLS encryption, which is why we run it on bare metal servers that can offload traffic encryption to the CPU hardware. By adding a new feature called “OCSP Stapling” to the freistilbox edge routers, we’ve almost completely eliminated the delay caused by the visitor’s browser checking the status of TLS certificates. OCSP stapling works in a similar fashion to the HTTP caching method described above. With this new feature, not the visitor’s browser sends the OCSP request but the freistilbox edge routers take care of that themselves, store the result for a period of time determined by the certificate authority, and deliver the certificate status right with the TLS certificate. In other words, websites hosted on freistilbox only require one request to establish a TLS connection instead of the usual two. This cuts down the time-to-first-byte substantially. In our tests, we saw TLS handshake time go down for a visitor from about 170 ms to about 60 ms, a reduction of almost 66%!

As a side effect, this new feature also gives websites hosted on freistilbox a privacy advantage. Since the freistilbox edge routers take care of certificate validation, the website’s certificate authority doesn’t see OCSP requests from each single visitor any more; they now all originate from our hosting platform. In other words, with OCSP stapling, a CA now only sees the website, not its users.

It makes us happy that we can offer this improvement in web performance and privacy to our hosting customers. Rest assured that we’re already working on the next one!