When CDNs and SSL Bring Down your Site: Lessons Learned from Doritos and Esurance During the Super Bowl

We first discussed Super Bowl lessons learned around bloated web pages that brought down sites like Kia.com. On the other side, GoDaddy did a great job in reducing the page load just for the time of the Super Bowl to ensure that their site wouldn’t go down.

But there is more to learn from than bloated websites: Esurance, for example, was impacted by their choice of CDN Partner which didn’t scale as needed and impacted page load time. Securing page content via SSL was done by 3 companies. Doritos did it in a way that their page load time was about 400% slower than Hyundai or TurboTax who also decided to go SSL.

Lesson #3: Determine if your CDN Partner will do right for your business

Include your CDN partners in your test and develop strategy, but also extend your mindset to ensure they are the right partners for your business. Without establishing confidence in your CDN partner, it’s possible that under extreme load conditions your CDN won’t have what it takes to get you into the end zone. This was likely the case for esurance.com as game time approached.

What we observed during game time on esurance.com was access failures across both web and mobile sites – unreachable content is one way to describe the scenario.

esurance.com unreachable content across web and mobile touch points
esurance.com unreachable content across web and mobile touch points

For all of esurance.com‘s assets, it was not enough to control the factors behind its firewall. In this case, they needed to be able to mitigate the risks encompassing all its assets, especially those controlled by third-party partners including CDNs.

It’s worth making this point – any one asset can weaken your site’s performance or take it completely down. Sure, service level agreements with partners may let you point the finger, but from the end user’s point of view, and especially from a branding perspective, there is a zero-degree of separation between you and your customer.

How can CDN deployment performance be measured? With RUM and Synthetic monitoring, it’s easy to track host content by IP address to see how your CDN is shaping traffic and its effects on site performance. In esurance.com‘s case, charting response time by IP Address maps to its CDN partner IP’s. Below, we see that site response time was high, which ultimately led to unreachable content. By validating your CDN’s performance by Host/IP Address is really the only true way to ‘see your CDN’ in action.

High response times mapped to CDN Host IP Addresses; each color represents a different destination IP Address.
High response times mapped to CDN Host IP Addresses; each color represents a different destination IP Address.

Tips for Business

Identify the regions where you expect your end users to be accessing your site from. Setup tests that test your site from these geographical locations and verify response times from the CDN providers.

Also check out Outage Analyzer – a free service that gives you a good overview of service quality of 3rd party and CDN providers worldwide. Make smart choices that are best for your end users.

Lesson #4: Secure Only Content that Needs to be and Balance the Traffic Load

Switching gears, let’s look at doritos.com. Doritos chose to deliver their homepage using the SSL protocol. In general, the performance impact SSL has on any page is usually negligible except for one primary use case – that is when web sites have very large numbers of visitors, such as during the Super Bowl.

Yes, SSL is the standard security technology for establishing an encrypted link between a web server and a browser, and recently is in the news for the MITM SSL security leak in iOS (this is an exception).

Simply put, the information that is sent has to be encrypted by the server, which takes more server resources and more importantly networking time than if the information weren’t encrypted. Of all Super Bowl advertisers, Doritos was only one of three that secured their home domain with SSL – Turbotax & Hyundai USA where the other two:

Doritos with twics as high response time on their SSL website
Doritos with twics as high response time on their SSL website

Let’s compare turbotax.intuit.com to doritos.com since they are very close in page size – doritos.com is only 143KB larger – Average Number of Connections – turbotax.intuit.com has 51 connections vs. doritos.com’s 57 connections, and both delivered over 96% of their content encrypted via HTTPS protocol (SSL).





AVG Response Time (secs)




AVG SSL Time (secs)




Page size (bytes)




% of Page using SSL



AVG Number od Connections



Number of Hosts delivering >95th percentile of SSL



Number of Host IPs delivering >95th percentile of SSL



% of SSL from CDN



% of SSL from Cloud



% of SSL from Private



Now here are some interesting differences between the two sites- turbotax.intuit.com response time was 1.2x faster, and SSL time over 400% faster than doritos.com. Let’s take a look at why these disparities exist.

Turbotax.intuit.com by Host IP shows proportional traffic distribution
Turbotax.intuit.com by Host IP shows proportional traffic distribution

Each column above is the Number of Bytes grouped by Host/IP Address viewed by a different US City for turbotax.intuit.com. It turns out, turbotax.intuit.com delivered 96.07% of its content from 1 Domain, 1 CDN Partner across 13 different IP Addresses. That’s fast and efficient when it comes to establishing and securing SSL connections and distributing and scaling content across multiple geographies.

Doritos.com by Host IP shows excessive traffic distribution
Doritos.com by Host IP shows excessive traffic distribution

Doritos.com, on the other hand, delivered 97.91% of its content from 8 Domains, 3 Partners (CDN, Cloud and Private) across 92 different IP Addresses. Breaking that down further, 64.69% of traffic was delivered by a CDN across 53 IPs, and 20.53% of traffic by a Cloud partner across 13 IP addresses, and  12.49% of traffic across 26 Private IP addresses. That’s a 6x difference in IP Addresses and related SSL connection overhead. In addition, the lack of CDN edge caching for 33% of total requests placed added latency on establishing each HTTP/S connection (see the many colors common across each column above).

Monitoring traffic distribution applies to HTTPS traffic as well HTTP. What needs extra consideration is that for each HTTPS connection there is networking overhead for the initial SSL key exchange.  This networking overhead adds connection-level round-trips which can cause delays per each new TCP-IP request.

Tips for Business and Application Architects

Walk through your site to determine if the SSL payload is worth its weight during high traffic scenarios. Perhaps securing a tax software homepage will produce the desired buyers-effect of being perceived as a ‘protected’ site, but can the same can be said for seasoned tortilla chips. If you decide it is important, make sure your site doesn’t run into the overhead explained by loading content from too many different sources. You can do a simply site check with services such as Web Site Performance Tests.

Next Year’s Game Starts Now

Yes, the 2014 Super Bowl game is now history. However, how many of these web teams who faced performance challenges during the game have reflected on, and concluded, it’s time to change the way they view performance management?

Simply working smarter with the right tools, helps to identify and fix problem areas in performance, availability and page structure so you can increase user experience, visitor satisfaction and conversions.

Greg Speckhart is a Senior APM Solution Consultant with Compuware APM. Greg has been working in the Application Performance space for several years helping enterprises to better understand and improve application performance.