6

We are developing a web application intended for use on smartphones and other mobile devices, and we are thinking about running all traffic through HTTPS to make security simpler.

I know that the CPU cost of HTTPS encryption for bigger computers is fairly trivial, but is this also true for modern smartphones like iPhone and Android?

Reid
  • 1,999
  • 3
  • 17
  • 25
  • This doesn't answer your question, but is an interesting and relevant read about Google's attempt to create a faster HTTP protocol that requires additional processing on the client-side (such as gzip and HTTPS): http://arstechnica.com/web/news/2009/11/spdy-google-wants-to-speed-up-the-web-by-ditching-http.ars – Chris Thompson Jan 05 '11 at 16:04

1 Answers1

7

Considering that the cpu of such a device runs at 400 MHz or higher, and that https has been around for decades running on slower cpu's, I'd say there is no problem with that.

mvds
  • 45,755
  • 8
  • 102
  • 111
  • Just want to add: But you may still have slowdowns thanks to the SSL handshake, especially over higher-latency mobile connections: http://www.semicomplete.com/blog/geekery/ssl-latency.html – Yoni Samlan Jan 05 '11 at 16:23
  • @Yoni true. Yet another reason to let all http traffic originate from one server (actually: hostname with fixed ip) greatly reducing the number of connections that need to be set up. One SO pageview leads to 9 (nine!) different hosts. Streamlining things like that easily offsets any slowdown by https. – mvds Jan 05 '11 at 16:29
  • Won't matter unless keepalive's on, though; I haven't seen many Android apps trying to use that (particularly, I can't imagine that'd be especially pleasant on battery life, anyways), but see http://developer.android.com/reference/org/apache/http/ConnectionReuseStrategy.html. – Yoni Samlan Jan 05 '11 at 16:31
  • For one pageview with 10 images, 5 css files and 2 js includes, I'm 99% confident that every modern browser (phone or otherwise) uses keepalive and gets them over one TCP connection. A second pageview may need a new connection, yes. – mvds Jan 05 '11 at 16:34
  • for a mobile browser, definitely; I guess I'm also thinking app development. For the OP's question though, I'd definitely imagine so. – Yoni Samlan Jan 05 '11 at 16:38
  • @OP: If it makes your app simpler and more reliable, then just do it. A working, secure app is better than a fast, crashy one. Next year the phones will be faster and have better batteries anyway. Premature optimization is the root of all evil. – Clinton Pierce Jan 05 '11 at 17:02