Can this be added?

There is no "io.js and Node.js" anymore, just "Node.js".

https://modulus.io/ gets bonus points for hosting Meteor apps.

You can store static content (http://aws.amazon.com/s3/faqs/#Can_I_host_my_static_website_on_Amazon_S3) or static websites (http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) on Amazon S3, which is https by default. Worth adding to your CDN matrix?

Apache httpd supports TLS dynamic record sizes for HTTP/2 connections since 2.4.18. See https://httpd.apache.org/docs/2.4/mod/mod_http2.html#h2tlscooldownsecs

Could you please update the table? Thanks!

I've followed this instructions but actually it always ends up with an error:

[email protected] requires a peer of grunt@~0.4 but none was installed.

and when running grunt:

>> Error: File to import not found or unreadable: foundation/functions
>>        Parent style sheet: /var/www/.../istlsfastyet/scss/_settings.scss
>>         on line 9 of scss/_settings.scss
>> >> @import "foundation/functions";
>>    ^
Warning:  Use --force to continue.

Aborted due to warnings.

Running on Debian
NodeJS v5

There's a general push to move to IPv6 and this is going to have performance consequences for TLS (and non-TLS) connections. In particular, Apple has announced a deliberate delay in waiting for IPv6 responses of 25ms (https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html) after receipt of an IPv4 address. This means that dual stack (or IPv6 only) web sites are likely to load faster than IPv4 only.

- Query the DNS resolver for A and AAAA.
   If the DNS records are not in the cache, the requests are sent back to back on the wire, AAAA first.
- If the first reply we get is AAAA, we send out the v6 SYN immediately
- If the first reply we get is A and we're expecting a AAAA, we start a 25ms timer
   - If the timer fires, we send out the v4 SYN
   - If we get the AAAA during that 25ms window, we move on to address selection

We've taken it in to beta https://twitter.com/nginx4Windows/status/741604796554174464
You can test it here https://nginx-win.ecsds.eu/
Expected public release between 3-5 days.

http://aws.amazon.com/about-aws/whats-new/2014/02/19/elastic-load-balancing-perfect-forward-secrecy-and-more-new-security-features/

You know about it, right? ;) https://github.com/indutny/bud

add 3 more

cdn77.com
cdnify.com
keycdn.com

in fact there's even more listed at http://www.cdnplanet.com/ :)

Could we have something like a benchmark for the SSL negotiation time (as reported by webpagetest) to have any idea of what we should aim for?

What is it needed to configure OCSP stapling and SPDY on Akamai?

The website I am working on consumes quite a few APIs that I know use Akamai, and I am quite positive these features are not in place, at least as per http://www.webpagetest.org/result/141205_KM_29b3d5e1a20891c168cc19b8633532a3/

Anyone has experience with getting it configured, so I can raise this to my colleagues who maintain those APIs?

..added in the 2.2 branch; merged with h2o/h2o#1204.

Should I PR this or wait for a non-beta release?

While looking at the CDN & PaaS, I noticed a prominent omission: Google Cloud Platform. App Engine is there, but none of the more modern Google Cloud services are mentioned.

Can they be added? 🙏

@igrigorik, in your Velocity EU 2014 talk you recommend 4k as a reasonable value for nginx's ssl_buffer_size option (in the absence of dynamic record sizing).

However in the nginx.conf in this repo, its set to 1400, to fit in one MTU.

Has your recommendation on this changed or is there some other reason for it to be 1400 here?

The Apache / spdy cell should say "no", with a "*" explaining that there is support for the old Apache version 2.2 only.

https://code.google.com/p/mod-spdy/issues/detail?id=64 illustrates that development of mod_spdy was discontinuted about 1.5 years ago.

I would like to see CDNetworks (company I am working at) to the CDN section. What is needed for adding a new CDN provider?

As far as certs go, I'd love to know the performance impact of the following:

• Cert providers
• Long chains
• Missing intermediate certs
• 1024 vs. 2048 vs. 4096
• EV Certs vs. Normal ones
• Certs that are smaller and fit into less packets/records (not really sure what I'm talking about here, but I think it's a "thing")

And then then mash that data up with acceptance on devices.

Ultimately, I'd love to have a chart much like the CDN and Server tables that helps you pinpoint, based on your needs: This is the cert that is the fastest, most secure, and accepted on the most devices in accordance with my site's use-cases

Your favorite server missing, or found an error? Open a pull request!

Please add Pound to benchmarks!

thanks.

I'd be interested to see how the Silverline DDoS service (was Defense.net) stacks up against the competition...

Thanks,

Michael Mota

Very comparable to Cloudflare but with better security.

https://www.incapsula.com/

According to this blogpost IIS 10.0 on Windows 10 and upcoming Windows Server 2016 supports HTTP/2
http://blogs.iis.net/nazim/http-2-for-iis-in-windows-10-technical-preview

SPDY is most likely not supported, even Google dropped support for SPDY in favor for HTTP/2.

Hi, would it be possible to add QUANTIL to the list? Our company support the following:

Session identifiers: yes
Session tickets: yes
OCSP stapling: no
Dynamic record sizing: no
ALPN :no
Forward secrecy : yes
HTTP/2: no

Thanks!

Haproxy ALPN support was implemented in 1.5-dev18 version.

Just add bind *:443 ssl crt /path/ alpn h2,http/1.1 in frontend section of config file to enable http2 feature of haproxy.

Reference:
https://news.ycombinator.com/item?id=9022807

As of today, CloudFront supports OCSP stapling and Forward Secrecy.

https://www.ssllabs.com/ssltest/analyze.html?d=d2wnqk7stvlxpu.cloudfront.net&s=205.251.253.44

https://blog.cloudflare.com/introducing-http2/

Hey Ilya,

MaxCDN now supports OCSP Stapling. Working on the others.

Thanks!

start here, please, https://www.openshift.com/

thank you!

I ran into this page while looking for a solution with a performance issue we are facing after we moved all of our site to HTTPS. Awesome page, many thanks @igrigorik!

I've been using webpagetest.org a lot to do a crude page load speed of various pages, and I noticed that for a lot of websites there are unexplained waterfall gaps loading SSL pages (after DNS lookup, and before initial connection). For example:

Github: http://www.webpagetest.org/result/140929_VN_1CEM/1/details/
Google: http://www.webpagetest.org/result/140929_HA_1CSD/
Apartment List (our site): http://www.webpagetest.org/result/140929_9M_13KR/1/details/

I don't get these gaps all the time, but I can consistently reproduce them using WebPageTest.org "Denver, Colorado USA - IE 11 - Cable" configuration. We are also using NewRelic RUM on our site, and have evidence that some non trivial amount of users have the same issue in the wild.

At first, I thought it is OSCP issue, but our CDN (CloudFront) is using OSCP stapling, and the weird gap is still there.

Any thoughts on why certain browsers / machines / locations have such a poor performance with regards to HTTPS?

As of version 12.1.0 (18.May.2016 release), BIG-IP supports Dynamic Record Sizing.

https://support.f5.com/content/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-12-1-0/_jcr_content/pdfAttach/download/file.res/BIG-IP_System__SSL_Administration.pdf

Citrix have recently released version 11 of Netscaler which has some HTTP/2 support http://docs.citrix.com/en-us/netscaler/11/system/http-configurations/configuring-http2.html

However, it's only applicable to certain bits of hardware, and it's very new, so I'm not sure it qualifies as being "supported".

Comments?

Caddy is a "Fast, cross-platform HTTP/2 web server with automatic HTTPS" and seems to fit the bill for inclusion on the 'Server Performance' table.

More info: https://github.com/mholt/caddy & https://caddyserver.com

Hi,

Please update the Nginx config with HTTP/2 support.
Seems as SPDY is still enabled in the Nginx configuration (https://github.com/igrigorik/istlsfastyet.com/tree/master/nginx).

I'm curious to see what the ideal Nginx configuration is with HTTP/2.

Thanks,

Regards,

The current table links to their document announcing limited availability, implying a caveat to the "yes." HTTP/2 went GA at Fastly in November.

Kindly edit the comparison table by adding "yes" to Session Tickets and OCSP Stapling against NetScaler. From the official docs,
OCSP Stapling - http://docs.citrix.com/en-us/netscaler/11-1/ssl/ssl-11-1-ocsp-stapling-solution.html
Session Tickets - http://docs.citrix.com/en-us/netscaler/11-1/ssl/customize-ssl-config/support-for-tls-session-ticket-extension.html

Kindly drop me an email if you want to discuss this - [email protected]

Thanks and regards,
Pankaj
NetScaler Product Manager

EdgeCast Network now supports HTTP/2. Please update CDN table to represent this.
https://www.verizondigitalmedia.com/blog/2017/04/http2-done-right/

I don't know about most of the fields, but I do know it supports SPDY via node-spdy.

Hi there, I was wondering whether the Node.js fork io.js will be represented on the website section "Server Performance". From what the right guys have told me, the io.js latest release has support for all of the said categories.

I'd be up for a PR if this would be accepted.

Is SPDY or HTTP2.0 supported in Bitgravity CDN?

Thanks for all the useful information on the istlsfastyet.com site. I was curious if you have plans to add more info and maybe benchmarks regarding the new ECC based SSL Certificates https://casecurity.org/2014/06/10/benefits-of-elliptic-curve-cryptography/ with ECC (ECDSA) signing as opposed to using RSA signing ?

Under which circumstances would ECC SSL/ECC Signed be best or are we not there yet with too many unsupported older browsers still in use .i.e IE 8 ? IE 8 still has a sizeable user base http://theie8countdown.com/

The article at https://casecurity.org/2014/06/10/benefits-of-elliptic-curve-cryptography/ mentions Apache can be configured to serve up ECC for clients that support it and RSA for clients that don't support ECC. The same thing can be done with Nginx ? based on user-agent ?

Another concern for websites that serve a significant number of mobile users is that – while testing has shown that ECC is faster overall – ECC signature verification is a compute intensive task and it can be slower than RSA on devices with slower processors

Also do you have any info on how fast a mobile device would need to be for ECC ?

Or generous consensus now to just stick with RSA signing ?

My SSL provider is just starting to roll out ECC based CSR generated codes in their order system so I can choose between ECC and RSA.

cheers

George

I'd like to see the Level3 CDN added to your CDN performance table. Level3 CDN locations are usually associated with the domain footprint.net.

Thanks,
Brian

One of the question I would like to see in FAQ, is whether using CDN without SPDY support on a SPDY-enabled site have significant negative impact on load time.

Consider this scenario: if we have a flickr like service, and we have X% users from China while our servers are in the US. Given many CDN don't have data centers in China, connections will be expensive. Can choosing CDN without SPDY cause the site to load slower than simply serving files through SPDY multiplexing?

Thanks

While the change in #8 was correct for ELBs, the same cannot be said for CloudFront, which supports only two cipher suites (RSA_WITH_RC4_128_MD5 and RSA_WITH_AES_128_CBC_SHA).

https://www.lighttpd.net/

This is taken from my control panel: