?
Solved

SSL and IIS Performance

Posted on 2005-03-14
17
Medium Priority
?
619 Views
Last Modified: 2008-04-24
Dear All,

I have some secure data in my website like SSN, Drivers License, along with user name, and password. We are planning to implement SSL. I did a little bit of research and it suggests that you use the SSL only for pages which needs them. Using them throughout the site causes more processing to the server which in case might decrease the performance. I am a little unsure of using it for specific pages as it flags the user as entering and leaving the secure site. If I secure the whole website, will affect the performance significantly? Or is there an alternative way to implement this?

Thanks for your help!

rr
0
Comment
Question by:newoffice
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
  • +2
17 Comments
 
LVL 34

Assisted Solution

by:Dave_Dietz
Dave_Dietz earned 1000 total points
ID: 13538926
What version of IIS are you running?

SSL under IIS 6.0  generates less overhead than SSL under IIS 5.0 which generates less than SSL under IIS 4.0.....

How many clients/hit per time period are you expecting?

What kind of hardware are you using?

Dave Dietz
0
 
LVL 5

Expert Comment

by:SMartinHamburg
ID: 13538941
SSL (https) is encrypting any info passed between client and server. This means extra processing at both ends and slightly more data to transfer.
For small chunks of text base content using decent bandwidth and not too outdated equipment at both ends you will harcly notice any difference.
Try to do a test with worst bandwidth you expect yur clients will have - then you know for sure - anything else is guessing.
0
 
LVL 1

Author Comment

by:newoffice
ID: 13539027
Okay I get your point SMartinHamburg.

 Dave_Dietz  - We are using Windows 2000 server and probably IIS 6.0 (I need to make sure.) As of now we have around 100 users and at a time around 15-20 users. From what I am gathering, there doesn't seem to be any noticable difference. We are currently using Access though. Planning to migrate to SQL server soon. Will this have any significance?



0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 37

Accepted Solution

by:
meverest earned 1000 total points
ID: 13539121
If it is windows 200, then it is iis5

There is no single answer to the question "how much additional load will ssl make". The penalty varies widely depending on how often connections are established and how long they last. The greatest overhead occurs while connections are being set up.

But it is significant to the extent that you would expect between 30% and 50% reduction in capacity by using SSL.  This is why you will find that most sites using SSL will only use that protocol for just the most important pages and swap back to unencrypted for the rest.

There is a tool available 'WCAT' you can use to test overheads specific to your application:

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/iisbook/c05_monitoring_security_overhead.asp

If it is an expensive hot for you, you might want to consider an SSL accelerator - a hardware peripheral device that can deal with the SSL tasks.  Just google for "SSL ACCELERATOR" for plenty of options.

Cheers.
0
 
LVL 1

Author Comment

by:newoffice
ID: 13539162
Are you sure meverest? Becuase so far everybody said there is no significant difference in placing the whole site in SSL. 50% reduction is a lot. But most of my pages are forms and if I place SSL and non-SSL together, it is going to flag the user when switching. It might be rather irritating for the user.

Any suggestions? Have you implemented SSL before?
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 13539516
With IIS 5.0 a 30% reduction in the total number of simultaneous connections is a reasonable estimate.  As meverest said, the biggest performance hit is during the SSL handshake or negotiation.

During negotiation the server and client use non-symmetric private key encryption to agree on an encryption type, a cipher suite and a shared symmetric key.  After the negotiation is finished the client and server use a symmetric encrytion system that is generally 100 times as fast as private/public key encryption.

With 15-20 users at a time I do not expect you will see any noticeable performance issues.

Changing from Access to SQL DB on the backend will make no difference to the SSL overhead for the site.

Since there will be little performance issue with the small number of users you are supporting I would say to go ahead and secure the entire site to avoid the warnings about moveing from SSL to non-SSL and vice cersa.

Dave Dietz
0
 
LVL 1

Author Comment

by:newoffice
ID: 13539537
As of now we have around 15 - 20 users. But we are growing everyday, so I need to take that into account. How many users do you think would be an optimum amount where they don't see a performance issue?

Thanks.
rr
0
 
LVL 37

Expert Comment

by:meverest
ID: 13539677
yes, i am sure.  up to 50% can happen when you have mostly short sharp request sessions, a few hundred bytes per request.  i have had some experience with this, in particular the delivery of a high school certificate results application.  a few hundred thousand hits in the first half hour.

but what we are talking about here is reduction in capacity - as in "with ssl, you may only be able to service 100,000 requests per hour instead of 200,000 requests without noticeable performance degradation"

noticeable reduction in performance won't happen until your server resources start running thin - like > 75% processore load or > 50% server memory and excessive paging.

that's probably why most folks suggest that you won't notice any difference, because when things are slack, you notice hardly anything.  but if you are used to your particular server performing in a known way under load, then you can expect it to manage a lot less easily with ssl.

the reason it is so hard to give a difinitive answer is because so much depends on the application and the server hardware.  the best bet is to run some load tests and see how it goes.

Cheers.
0
 
LVL 1

Author Comment

by:newoffice
ID: 13539740
meverest : Thanks for your comments. I was looking particularly for any negative results. But you are talking about in 100,000 hits in an hour right? The maximum I would go in an hour for sometime now is around 2000. And we have a dedicated machine. Nothing else is on the machine. Just IIS. So what do you suggest? I would give the points to both of you after increasing.
0
 
LVL 37

Expert Comment

by:meverest
ID: 13539836
watch your performance monitor, and take particular note of the processor overhead as that is the main additional hit on server resource. if your server has only reasonable capacity for a modern web server, then i would not expect any major problems with less than one hit per second.

Cheers,  Mike.
0
 
LVL 1

Author Comment

by:newoffice
ID: 13539865
How do I give each of you 500 points?
0
 
LVL 37

Expert Comment

by:meverest
ID: 13539928
Hi,

>> How do I give each of you 500 points?

you can't.  the maximum total points allowed for any question is 500.  if you want to acknowledge more than one expert, just split what you have allocated between those who have helped.

Cheers.
0
 
LVL 1

Author Comment

by:newoffice
ID: 13565621
Sorry for the delay. I was sick. One of you accept it here and I will post one more question and the other one can accept it there.

Thanks,
rr.
0
 
LVL 37

Expert Comment

by:meverest
ID: 13569390
Hello,

glad you are back well again! :-)

>> One of you accept it here and I will post one more question and the other one can accept it there.

that is against the EE rules.  the maximum points awarded for any question is 500, and that includes creating a second question like you propose.

just use the 'split points' function to distribute the points among those you think have helped solve your problem.

Cheers.
0
 
LVL 1

Author Comment

by:newoffice
ID: 13569495
oh i c... while i was browsing through the questions i saw a lot of people do that. But anyways, I would give u both points.

Thanks!
0
 
LVL 37

Expert Comment

by:meverest
ID: 13572704
yes, sometimes it happens, especially in the 'old days' but the riles have changed a bit in the last year or so.

Cheers.
0
 

Expert Comment

by:GeorgeJacobson
ID: 21433145
SSL and Server Performance - do not put on all pages
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question