Comments on: How SSL/TLS is broken, socially

By: protocol7 » Blog Archive » links for 2006-12-04

protocol7 » Blog Archive » links for 2006-12-04 — Mon, 04 Dec 2006 12:17:42 +0000

[...] How SSL/TLS is broken, socially (tags: authentication SSL security encryption by:david_megginson) [...]

By: M. David Peterson

M. David Peterson — Sun, 21 Aug 2005 05:25:46 +0000

See CACert.org

By: Jay Carlson

Jay Carlson — Sun, 21 Aug 2005 02:39:25 +0000

Without identity information provided by authentication, who are you encrypting to?

If you think I’m being needlessly Socratic, see http://www.evilscheme.org/defcon/ .

By: Aristotle Pagaltzis

Aristotle Pagaltzis — Sun, 21 Aug 2005 02:16:00 +0000

I wish. I’m afraid it’s not a subject of direct interest for me. I remember the figure because I was impressed by the discrepancy every time I saw a mention in an article in iX (or maybe c’t; they’re the two German computer magazines). I at least skim almost everything they write about, whether it’s of direct interest or not. This number came up at least thrice over time. Shame that I don’t have the first clue where to go looking for a citation…

It would be in German anyway, but it would provide a starting point at least, whereas all my attempts to wrestle something out of Google were in vain. The obvious keyword combinations result in a sea of vendor ads and product whitepapers, but nothing of value.

By: david

david — Sat, 20 Aug 2005 20:26:26 +0000

That’s a great comment, Aristotle — thanks. I would have expected to see a difference of around one order of magnitude, not three. Can you point me to a good source where I can get more performance information?

By: Aristotle Pagaltzis

Aristotle Pagaltzis — Sat, 20 Aug 2005 19:35:13 +0000

Don’t forget another factor: encryption requires a protracted handshake and lots of CPU cycles. The peak simultaneous request rate that a webserver can handle is typically three orders of magnitude greater for unencrypted connections than for encrypted ones.

Since each connection has to be encrypted invidually, you can’t just throw cheap machines doing reverse proxy duties at the problem either – the easiest to maintain and most cost effective way to scale a service. You need big, expensive hardware, because servers pushing encrypted content down the wire end up CPU-bound, not I/O-bound.

For low-volume sites, the problem isn’t even on the radar. But for small outfits running sites with moderate but not insignificant traffic, it is a serious concern. You have to choose carefully how much content is served securely; encryption unfortunately isn’t free.