SSL as Remedy for Large View State?

Recently we've noticed something peculiar when serving pages with large view state over SSL. I've always been told that SSL slows things down, but we've witnessed the opposite.

Our main product handles a lot of dynamic data. Some pages may house large chunks of view state which we can't trim. We need it so that data grids could process paging and sorting events, etc.

Trying to troubleshoot an issue one day we decided to enable SSL on the entire app. To our surprise we observed a noticeable increase in page serving time.

Now, pardon my ignorance, but does SSL also compress data? As far I as know there's no compression by default, but I might be wrong. Compression is the only explanation of this boost that I can think of.

I am a big believer in compressing the HTTP payload. HTML is repetitive and compresses very well. For a while now I've been using Ben Lowery's HttpModule (see Run, Run As Fast As You Can to learn how compression can speed up your site).

Your server compresses HTML and sends it to a browser with each page request. Upon postback the view state is posted to the server in plain text, without compression. Once the page is processed, it's sent back to the client compressed yet again.

Back to SSL. If it compresses data both ways then we're enjoying a free ride. Does anyone know if this is the case? Any other ideas?

No, SSL doesn't compress data. Are you compressing the page in question already? I'd throw out a guess that SSL encryption process would run faster if it had less data to encrypt. I don't think you could tell for sure without running a network trace of the 2 scenarios and doing some low level analysis on packet arrival times & latencies.

Yes, we compress pages with and without SSL.

I don't have metrics yet, but we all noticed a significant increase in response time.

Is there a chance that the customer runs some kinds of an HTTP traffic sniffer which retards the normal flow, but keeps its hand off of SSL?

Doesn't IIS support HTTP 1.1 compression?

It does, but it's not documented well, and what's documented is plain wrong. Scott Watermasysk had a post about other side effects of IIS built-in compression.

Not sure what you mean by your question about sniffing. Are you wondering if the client is doing something on their side that would make SSL faster? It sounds like you're observing this on your own machines as well, I'd say no if that's the question. If you're wondering if it's possible to configure a sniffer to look at only HTTP traffic, absolutely. Ethereal is a wonderful, free, sniffer that will do that for you.

I was suspecting they had some software or hardware analyzing traffic.

I don't have an SSL certificate on my machine. We've observed it on a live instance we host for a customer.

Ethereal is great, I love it. I'm gonna have to fire it up and do some sniffin'.