Re: http download: 90 seconds, https download >= 45 min
I assume that the reason you linked the URL was an attempt to debunk the encryption overhead costs.
First, let me say that I think it is a good idea to move to TLS, if the circumstances warrant it, or if there are no great impediments to doing so.
On to the document you linked, let me point out some phrases from the document itself:
Good news is, modern hardware has made great improvements to help minimize these costs
Nice assumption, that you are either:
a) running on modern hardware; or
b) are not already at the capacity limit of that hardware, such that even a little extra overhead will push it over the edge.
Now let's look at modern hardware that includes (like most do now) hardware encryption units. Even if you are using such hardware, it is not magical. You must still have:
a) driver support for the O/S in use;
b) software support.
for those accelerators. Which might be fine if you are using a recent version Microsoft IIS on Windows, which will undoubtedly have such support. But if you aren't running Windows or IIS? Sure, many O/Ses will have support (say commercial UNIXes on their platform of choice), and many webservers will have support (again for their O/S and hardware platform of choice), but far from all. And even if modern versions of the products you are using have support, does the version you are currently using have that support?
A well tuned TLS deployment can make an enormous positive difference in the user experience,...
To deliver the best performance, run down the TLS performance checklist and use a tool like Qualys SSL Server Test to scan your server for common configuration and security flaws....
TLS exposes many different knobs and new config flags on every server. Our goal here is not to provide an exhaustive list (consult server docs for that), but to highlight status of important performance-oriented features:...
TLS operational costs are still higher, right?
Not necessarily. Once you enable and optimize your TLS stack...
So it requires tuning, not just slapping a certificate into your web server and enabling TLS.
Who's going to do that? How much will that cost? If you are large enough to have your own in-house IT support you'll probably have the inhouse expertise to do it. What about smaller shops who's IT support is the "person over there who knows a bit about computers"? Or even worse (and quite common) the "My ex-employees daughter set it up for us 5 years ago" situation?
Look, I encourage anyone who has the capacity and/or necessity (i.e. you have an online shopfront) to move over to TLS.
But the people who beat the "it's trivial", or "on modern hardware it has no significant overhead" drums are living in their own, blinkered (or ivory-towered) world. They are making assumptions that everyone is running on modern hardware, is using supported software, has in-house (or can afford consultants) IT staff, has the necessity to implement TLS. They must be the same people who beat the "everyone should be using IPv6" drum.
It's easy and trivial if you know what you are doing or can afford to hire someone who know's what they are doing, but for the other 30% of sites out there, it aint, and for what they host on their website ("Who we are", "What we do", "contact details", "address details", "opening hours"), it's not worth the cost to do so.
edit: added a few more choice quotes from the linked page