Speed ​​- Do Bank Sites Need It?

We live in a world in which decision-making depends on the speed of obtaining information of interest to us. Some technology companies are struggling to create fast browsers , others are developing frameworks for creating web applications and at their conferences talk about how they succeeded in replacing one framework with its new version to increase the interaction speed by 900 milliseconds , while third companies are developing content delivery networks (more CDN), trying to place content geographically closer to the consumer and creating algorithms for its delivery with the shortest possible routes.

Comparative table of the weight of the ten largest banking sites in Russia, the average weight of the main page is 4.4 MB (as of May 15, 2017).

However, only one of the participants in the table uses the CDN to speed up the delivery of content to the consumer.

What CDN is and why it is needed is not necessary to explain to this audience. But to make it clear that we are talking about the same thing, I will explain.

Simply put, it is a set of technologies that allow site users to receive content on average several times faster than a simple “hosting client” interaction. Content can be anything from images and videos to dynamically generated json for a mobile application and fully generated site pages. There is an acceleration due to the fact that users receive content not from the only data center that hosts the site or service, but from the nearest caching point of the CDN provider (node).

Example 1: You are in Petrozavodsk, and there are nodes in St. Petersburg and Moscow, it is obvious that geographically is closer to St. Petersburg. Therefore, it will be faster for you to get content from the node in St. Petersburg.

Figure 1: Image from Yandex.Maps

It is important that the nearest point means not only the geographical location of the node, but also its location on the Internet, determined using dynamic routing protocol (BGP).

Example 2: You are still in Petrozavodsk and open a website that is located in the data center of Petrozavodsk.

If the routing protocol is not properly configured, you can easily get data from this site after they have walked, for example, to Moscow via Belomorsk and Arkhangelsk. Obviously, this is not the closest and fastest way.

Figure 2: Diagram of the trunk network of Rostelecom.

If you are a federal bank, and the audience of your site is located all over Russia, and your main data center is in Moscow, then your users from Vladivostok will have to wait for a beautiful logo to fly thousands of kilometers away before being displayed in their browser.

Using CDN to such a remote user, the content will be given from the node located directly in Vladivostok, thereby reducing the network route between nodes several times.

What is the difference in content delivery in the first and second example using CDN technology and without?

There is a difference - only a few seconds, which may seem insignificant at first glance. However, search engines have long taken into account the time taken to load sites when forming the logic for issuing search results, and the percentage of loss of conversion for every 100 milliseconds of an additional page load time is calculated in online retail.

There are legends that back in 2008, Amazon already calculated a total annual loss of $ 1.6 billion per second of additional load time of their site. By the way, research shows that after 6-10 seconds we will close the page opened from a mobile device, if it does not open before. And at this moment the question arises - what to fight for? For speed and conversion or beauty?

And I want to have a video with cute cats on the page. Well, yes, on the site of a large bank video with cats, why not. And then you launch such a cat on the site, he walks to himself with the size of a video clip of 3 MB. And one more video with flowers, airplanes, chess and never stop.

Some solve the problem simply - a minimum of graphics, maximum text. This is a conservative option, and from a dozen sites of the largest banks, 40% went for it. Others follow modern trends in site building and transmission of emotions, add graphics and dynamic objects. As a result, the weight of the site increases by 5-10 times.

How to be in this situation?

Any media content platform can give the answer to it — use a CDN, helping consumers get their content as quickly as possible.

That is the way we went to Otkritie Bank, transferring the static content of our sites to MegaFon’s CDN. As a result of this transition, we accelerated the loading of our website in various regions of the country from 2 to 4 times. By itself, the transition to the use of CDN took about 2 working days of our developers after several months of coordination of architecture, tenders, pilot projects and the conclusion of contracts. “Guaranteed availability of web resources is becoming a mandatory business requirement for banks. CDN helps to solve two important tasks at once - to increase the speed of work and to provide an additional level of security from cyber attacks. The large capacity of the content delivery network allows processing the requests of millions of users and at the same time resisting the flood attacks at the transport and network levels.

In the case of the MegaFon solution, protection is provided in combination with the Perimeter security package, which extends the protection surface of accelerated web resources to several TB / s and shields against attacks at the application level, says PAO’s Content Network Development Department MegaFon "Alexey Sechkin,

What difficulties did we have to overcome before we implemented this solution?

After all, the risks potentially affecting existing businesses are huge. What if deface happens, and instead of seeing the banner with the current product, the visitor sees the banner set by the attacker calling to go to the ATMs and immediately withdraw all the cash?

For this purpose, there are means of checking and protecting the integrity of the content delivered via CDN. Like, for example, the Subresource Integrity attribute, which in 2016 was proposed by the W3C consortium and is already supported by a number of browsers. Its essence lies in the fact that when generating html pages on the server, keys are generated for each file using a secure hashing algorithm, and the browser, when downloading files via the CDN, compares the hash values ​​and, in case of coincidence, allows their execution.

“The use of CDN has one important risk - through the substitution of content, you can infect clients who essentially trust the site completely. Therefore, when using third-party services need to pay attention to this factor. In essence, the following measures are effective - including the service provider’s obligations in the contract not to make changes to the content without initiating changes by the customer, two-factor authentication of the customer for content management, or automation of management (in the second case, a careful analysis of the security API provided by the service provider will be required).

You can also implement monitoring of changes in the CDN using your own resources, ”said Vyacheslav Kasimov, Executive Director for Information Security of PJSC Bank Otkrytie, Vyacheslav Kasimov. - It is also important to take into account the scenario of a DDoS attack on a CDN (will it lead to the unavailability of the site as a whole) and, therefore, the ability to quickly reconfigure the main site in some minimal configuration with no dependencies on CDN or fast switching to alternative available CDN addresses . This is a mandatory need, since there are no perfect DDoS protection systems and you should not rely on the service provider’s 100% protection. ”

How to choose the best and reliable CDN provider?

This question forced us to follow the path of experiments and pilot projects with leading CDN providers in Russia.
We made clones of the main site, and we connected our own CDN site to each clone. Then our specialists developed a script that downloads every clone of the site completely several times and records the time it took for it to load into the table.

Our office network covers the entire territory of Russia from Vyborg to Yuzhno-Sakhalinsk and from Murmansk to Sochi, so we asked our employees in several dozens of cities to run this script and send its results.

Thus, we received a fairly representative sample by city, Internet providers and speed variations. All this made it possible to shift the results of the pilots to the evaluation table of the tender committee, which takes into account the cost of the service, and chose the best option.
We are not stopping at this; the next step is to switch to the second version of the HTTP / 2 network communication protocol.

Dmitry Fedorov, Director of Internet Technologies Development, PJSC Otkrytie FC