Subscribe to receive notifications of new posts:

CloudFlare Works with GlobalSign to Make SSL Faster Across the Web

2012-11-01

2 min read
CloudFlare Works with GlobalSign to Make SSL Faster Across the
Web

Earlier this week we announced how CloudFlare enabled OCSP stapling in order to improve our customers' SSL performance. OCSP stapling is awesome and improves SSL performance by as much as 30%. However, it is limited to browsers that support OCSP stapling and only benefitsCloudFlare's customers. So, until every browser vendor updates to support OCSP stapling and until every website uses CloudFlare, we wantedto see if we could do something else to improve SSL performance across the web.

GlobalSign Partnership

CloudFlare has worked with GlobalSign since we first launched in September 2010. Prior to that we surveyed nearly every certificate authority in an effort to find one that was forward thinking enough to support what we needed. GlobalSign has been a terrific partner and is shaking up what has been a commodity industry.

CloudFlare Works with GlobalSign to Make SSL Faster Across the Web

Several months ago, GlobalSign approached us to talk about SSL performance. Their goal was simple: become the fastest SSL provider on the Internet. As I've written about before, whenever you visit a website over a HTTPS connection your browser has to perform a check to see if the certificate has been revoked. Depending on your browser, these checks are either over the CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) protocol. In either case, they require a request be sent back to the certificate authority and to get a response before content is downloaded. In other words, CRL and OCSP requests inherently slow down HTTPS performance.

The amount that these checks slow down performance varies depending on the certificate authority. On average, across the industry, a typical OCSP or CRL response time can be 500ms. That's half a second. In other words, every time you visit a site over HTTPS, you waste half a second waiting for the SSL check to complete. Talking with GlobalSign we realized we could do something about that.

Now Saving 1.5 Years Worth of Time a Day

This morning we officially announced our work with GlobalSign to make their CRL and OCSP requests the fastest on the Internet. GlobalSign's SSL checks (OCSP and CRL GET and POST requests) are now served from our cache across CloudFlare's global infrastructure. The results have been awesome. The requests that previously averaging around 500ms are now under 100ms. At GlobalSign's scale, that means we're now saving the web about a year and a half of time every day that people would have otherwise spent waiting for web pages to load. That's crazy.

This improvement accrues to sites using GlobalSign SSL certificates, regardless of whether the sites themselves are running on CloudFlare's network. Getting more sites using SSL is critical for increasing web security and promoting new performance protocols like SPDY. If you are choosing a CA, typically a commodity decision, now there's a good reason to pick GlobalSign over the other choices: they will ensure your site is as fast as possible over HTTPS. Put simply, GlobalSign is now the fastest certificate authority in the world, and nearly 3x as fast as Symantec/Verisign.

CloudFlare's mission is to power a faster, safer Internet so working with GlobalSign to make SSL as fast as possible has been a perfect fit. Our hope is that other certificate authorities will follow GlobalSign's lead and spend the time to optimize their SSL checks for optimal performance. As an added bonus, we've also helped GlobalSign be the first certificate authority to have their SSL checks be available over IPv6. This is all part of our efforts to help build a better Internet. As we like to tweet: #savetheweb.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Save The WebOCSPSSLSpeed & Reliability

Follow on X

Matthew Prince|@eastdakota
Cloudflare|@cloudflare

Related posts

October 09, 2024 1:00 PM

Improving platform resilience at Cloudflare through automation

We realized that we need a way to automatically heal our platform from an operations perspective, and designed and built a workflow orchestration platform to provide these self-healing capabilities across our global network. We explore how this has helped us to reduce the impact on our customers due to operational issues, and the rich variety of similar problems it has empowered us to solve....

September 25, 2024 1:00 PM

Introducing Speed Brain: helping web pages load 45% faster

We are excited to announce the latest leap forward in speed – Speed Brain. Speed Brain uses the Speculation Rules API to prefetch content for the user's likely next navigations. The goal is to download a web page to the browser before a user navigates to it, allowing pages to load instantly. ...

September 19, 2024 2:00 PM

How Cloudflare is helping domain owners with the upcoming Entrust CA distrust by Chrome and Mozilla

Chrome and Mozilla will stop trusting Entrust’s public TLS certificates issued after November 2024 due to concerns about Entrust’s compliance with security standards. In response, Entrust is partnering with SSL.com to continue providing trusted certificates. Cloudflare will support SSL.com as a CA, simplifying certificate management for customers using Entrust by automating issuance and renewals....