Comments on: How SSL/TLS is broken, socially https://quoderat.megginson.com/2005/08/20/how-ssltls-is-broken-socially/ Open information and technology. Mon, 04 Dec 2006 12:17:42 +0000 hourly 1 http://wordpress.com/ By: protocol7 » Blog Archive » links for 2006-12-04 https://quoderat.megginson.com/2005/08/20/how-ssltls-is-broken-socially/#comment-311 Mon, 04 Dec 2006 12:17:42 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-311 […] How SSL/TLS is broken, socially (tags: authentication SSL security encryption by:david_megginson) […]

]]> By: M. David Peterson https://quoderat.megginson.com/2005/08/20/how-ssltls-is-broken-socially/#comment-310 Sun, 21 Aug 2005 05:25:46 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-310 See CACert.org

]]> By: Jay Carlson https://quoderat.megginson.com/2005/08/20/how-ssltls-is-broken-socially/#comment-309 Sun, 21 Aug 2005 02:39:25 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-309 Without identity information provided by authentication, who are you encrypting to?

If you think I’m being needlessly Socratic, see http://www.evilscheme.org/defcon/ .

]]> By: Aristotle Pagaltzis https://quoderat.megginson.com/2005/08/20/how-ssltls-is-broken-socially/#comment-308 Sun, 21 Aug 2005 02:16:00 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-308 I wish. 😦 I’m afraid it’s not a subject of direct interest for me. I remember the figure because I was impressed by the discrepancy every time I saw a mention in an article in iX (or maybe c’t; they’re the two German computer magazines). I at least skim almost everything they write about, whether it’s of direct interest or not. This number came up at least thrice over time. Shame that I don’t have the first clue where to go looking for a citation… 😦

It would be in German anyway, but it would provide a starting point at least, whereas all my attempts to wrestle something out of Google were in vain. The obvious keyword combinations result in a sea of vendor ads and product whitepapers, but nothing of value.

]]> By: david https://quoderat.megginson.com/2005/08/20/how-ssltls-is-broken-socially/#comment-307 Sat, 20 Aug 2005 20:26:26 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-307 That’s a great comment, Aristotle — thanks. I would have expected to see a difference of around one order of magnitude, not three. Can you point me to a good source where I can get more performance information?

]]> By: Aristotle Pagaltzis https://quoderat.megginson.com/2005/08/20/how-ssltls-is-broken-socially/#comment-306 Sat, 20 Aug 2005 19:35:13 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-306 Don’t forget another factor: encryption requires a protracted handshake and lots of CPU cycles. The peak simultaneous request rate that a webserver can handle is typically three orders of magnitude greater for unencrypted connections than for encrypted ones.

Since each connection has to be encrypted invidually, you can’t just throw cheap machines doing reverse proxy duties at the problem either – the easiest to maintain and most cost effective way to scale a service. You need big, expensive hardware, because servers pushing encrypted content down the wire end up CPU-bound, not I/O-bound.

For low-volume sites, the problem isn’t even on the radar. But for small outfits running sites with moderate but not insignificant traffic, it is a serious concern. You have to choose carefully how much content is served securely; encryption unfortunately isn’t free.

]]>