High Performance Browser Networking: What every web developer should know about networking and web performance

However, in practice, you should disable TLS compression on your server for several reasons: The “CRIME” attack, published in 2012, leverages TLS compression to recover secret authentication cookies and allows the attacker to perform session hijacking. Transport-level TLS compression is not content aware and will end up attempting to recompress already compressed data (images, video, etc.). Double compression will waste CPU time on both the server and the client, and the security breach implications are quite serious: disable TLS compression.

Performance Checklist
Optimizing TCP performance pays high dividends, regardless of the type of application, for every new connection to your servers. A short list to put on the agenda:
Upgrade server kernel to latest version (Linux: 3.2+).
Ensure that cwnd size is set to 10.
Disable slow-start after idle.
Ensure that window scaling is enabled.
Eliminate redundant data transfers.
Compress transferred data.
Position servers closer to the user to reduce roundtrip times.
Reuse established TCP connections whenever possible.

The core principles and their implications remain unchanged: TCP three-way handshake introduces a full roundtrip of latency. TCP slow-start is applied to every new connection. TCP flow and congestion control regulate throughput of all connections. TCP throughput is regulated by current congestion window size. As a result, the rate with which a TCP connection can transfer data in modern high-speed networks is often limited by the roundtrip time between the receiver and sender. Further, while bandwidth continues to increase, latency is bounded by the speed of light and is already within a small constant factor of its maximum value. In most cases, latency, not bandwidth, is the bottleneck for TCP.

Slow-start is not as big of an issue for large, streaming downloads, as the client and the server will arrive at their maximum window sizes after a few hundred milliseconds and continue to transmit at near maximum speeds — the cost of the slow-start phase is amortized over the lifetime of the larger transfer. However, for many HTTP connections, which are often short and bursty, it is not unusual for the request to terminate before the maximum window size is reached. As a result, the performance of many web applications is often limited by the roundtrip time between server and client: slow-start limits the available bandwidth throughput, which has an adverse effect on the performance of small transfers.