SSL performance implications

Question

Possible Duplicate:
How much overhead does SSL impose?

I recently had a conversation with a developer who told me that having SSL implemented site-wide puts 300 times the load on the server. Is this really credible? I currently use SSL across all pages and we have several thousand users accessing the system daily without any noticeable lag. We are using an IIS 7 server.

His solution was to only use SSL on the login page to secure the transmission of the login credentials. Then redirect them back to HTTP...Is this good practice?

Check this thread http://stackoverflow.com/questions/149274/http-vs-https-performance — codeghost, Jan 29 '13 at 18:08
See this thread too: http://stackoverflow.com/q/548029/372643 — Bruno, Jan 29 '13 at 19:22

Bruno · Answer 1 · 2013-01-29T19:41:36.790

What's costly in HTTPS is the handshake, both in terms of CPU (the asymmetric cryptographic operations are more expensive) and network round trips (not just for the handshake itself, but also for checking the certificate revocation). After this, the encryption is done using symmetric cryptography, which shouldn't impose a big overhead on a modern CPU. There are ways to reduce the overhead due to the handshake (in particular, via session resumption, if supported and configured).

In a number of cases, it's useful to configure the static content to be cacheable on the client-side too (see Cache-Control: public). Some browsers don't cache HTTPS content by default.

Increasing the server's CPU load by 300 when using HTTPS sounds like something isn't configured appropriately.

His solution was to only use SSL on the login page to secure the transmission of the login credentials. Then redirect them back to HTTP...Is this good practice?

A number of sites do this (including StackOverflow). It depends on how much security is required. If you do this, only the credentials will be secured. An attacker could eavesdrop the cookie (or similar authentication token) passed in plain HTTP and use it to impersonate the authenticated user.

Great care needs to be taken when switching from HTTP to HTTPS or the other way around. For example, the authentication token coming from the login page should be considered as "compromised" once passed to plain HTTP. In particular, you can't assume that subsequent HTTPS requests that still use that authentication token come from the legitimate user (e.g. don't allow it to edit 'My Account' details, or anything similar).

user207421 · Answer 2 · 2020-02-27T22:34:56.330

He is making it up. Surely it occurred to you that 300 is a suspiciously round number? Ask him to prove it. Test and measure.

It certainly puts more load in the server, most of which can be offloaded to a hardware crypto accelerator or a front-end box if you really have a problem, but in my experience it is negligible. See here for more information.

His suggestion about reverting to HTTP after the login only makes sense if the login page is the only page in the site that you want transport security for. This is unlikely to be the case.

Frankly he doesn't appear to know much about any of this.

I did a large experiment about 15 years ago which showed that over the Internet the time overhead of SSL is about 30%.

SSL performance implications

2 Answers2

Linked