• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 626
  • Last Modified:

SSL and IIS Performance

Dear All,

I have some secure data in my website like SSN, Drivers License, along with user name, and password. We are planning to implement SSL. I did a little bit of research and it suggests that you use the SSL only for pages which needs them. Using them throughout the site causes more processing to the server which in case might decrease the performance. I am a little unsure of using it for specific pages as it flags the user as entering and leaving the secure site. If I secure the whole website, will affect the performance significantly? Or is there an alternative way to implement this?

Thanks for your help!

rr
0
newoffice
Asked:
newoffice
  • 7
  • 6
  • 2
  • +2
2 Solutions
 
Dave_DietzCommented:
What version of IIS are you running?

SSL under IIS 6.0  generates less overhead than SSL under IIS 5.0 which generates less than SSL under IIS 4.0.....

How many clients/hit per time period are you expecting?

What kind of hardware are you using?

Dave Dietz
0
 
SMartinHamburgCommented:
SSL (https) is encrypting any info passed between client and server. This means extra processing at both ends and slightly more data to transfer.
For small chunks of text base content using decent bandwidth and not too outdated equipment at both ends you will harcly notice any difference.
Try to do a test with worst bandwidth you expect yur clients will have - then you know for sure - anything else is guessing.
0
 
newofficeAuthor Commented:
Okay I get your point SMartinHamburg.

 Dave_Dietz  - We are using Windows 2000 server and probably IIS 6.0 (I need to make sure.) As of now we have around 100 users and at a time around 15-20 users. From what I am gathering, there doesn't seem to be any noticable difference. We are currently using Access though. Planning to migrate to SQL server soon. Will this have any significance?



0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
meverestCommented:
If it is windows 200, then it is iis5

There is no single answer to the question "how much additional load will ssl make". The penalty varies widely depending on how often connections are established and how long they last. The greatest overhead occurs while connections are being set up.

But it is significant to the extent that you would expect between 30% and 50% reduction in capacity by using SSL.  This is why you will find that most sites using SSL will only use that protocol for just the most important pages and swap back to unencrypted for the rest.

There is a tool available 'WCAT' you can use to test overheads specific to your application:

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/iisbook/c05_monitoring_security_overhead.asp

If it is an expensive hot for you, you might want to consider an SSL accelerator - a hardware peripheral device that can deal with the SSL tasks.  Just google for "SSL ACCELERATOR" for plenty of options.

Cheers.
0
 
newofficeAuthor Commented:
Are you sure meverest? Becuase so far everybody said there is no significant difference in placing the whole site in SSL. 50% reduction is a lot. But most of my pages are forms and if I place SSL and non-SSL together, it is going to flag the user when switching. It might be rather irritating for the user.

Any suggestions? Have you implemented SSL before?
0
 
Dave_DietzCommented:
With IIS 5.0 a 30% reduction in the total number of simultaneous connections is a reasonable estimate.  As meverest said, the biggest performance hit is during the SSL handshake or negotiation.

During negotiation the server and client use non-symmetric private key encryption to agree on an encryption type, a cipher suite and a shared symmetric key.  After the negotiation is finished the client and server use a symmetric encrytion system that is generally 100 times as fast as private/public key encryption.

With 15-20 users at a time I do not expect you will see any noticeable performance issues.

Changing from Access to SQL DB on the backend will make no difference to the SSL overhead for the site.

Since there will be little performance issue with the small number of users you are supporting I would say to go ahead and secure the entire site to avoid the warnings about moveing from SSL to non-SSL and vice cersa.

Dave Dietz
0
 
newofficeAuthor Commented:
As of now we have around 15 - 20 users. But we are growing everyday, so I need to take that into account. How many users do you think would be an optimum amount where they don't see a performance issue?

Thanks.
rr
0
 
meverestCommented:
yes, i am sure.  up to 50% can happen when you have mostly short sharp request sessions, a few hundred bytes per request.  i have had some experience with this, in particular the delivery of a high school certificate results application.  a few hundred thousand hits in the first half hour.

but what we are talking about here is reduction in capacity - as in "with ssl, you may only be able to service 100,000 requests per hour instead of 200,000 requests without noticeable performance degradation"

noticeable reduction in performance won't happen until your server resources start running thin - like > 75% processore load or > 50% server memory and excessive paging.

that's probably why most folks suggest that you won't notice any difference, because when things are slack, you notice hardly anything.  but if you are used to your particular server performing in a known way under load, then you can expect it to manage a lot less easily with ssl.

the reason it is so hard to give a difinitive answer is because so much depends on the application and the server hardware.  the best bet is to run some load tests and see how it goes.

Cheers.
0
 
newofficeAuthor Commented:
meverest : Thanks for your comments. I was looking particularly for any negative results. But you are talking about in 100,000 hits in an hour right? The maximum I would go in an hour for sometime now is around 2000. And we have a dedicated machine. Nothing else is on the machine. Just IIS. So what do you suggest? I would give the points to both of you after increasing.
0
 
meverestCommented:
watch your performance monitor, and take particular note of the processor overhead as that is the main additional hit on server resource. if your server has only reasonable capacity for a modern web server, then i would not expect any major problems with less than one hit per second.

Cheers,  Mike.
0
 
newofficeAuthor Commented:
How do I give each of you 500 points?
0
 
meverestCommented:
Hi,

>> How do I give each of you 500 points?

you can't.  the maximum total points allowed for any question is 500.  if you want to acknowledge more than one expert, just split what you have allocated between those who have helped.

Cheers.
0
 
newofficeAuthor Commented:
Sorry for the delay. I was sick. One of you accept it here and I will post one more question and the other one can accept it there.

Thanks,
rr.
0
 
meverestCommented:
Hello,

glad you are back well again! :-)

>> One of you accept it here and I will post one more question and the other one can accept it there.

that is against the EE rules.  the maximum points awarded for any question is 500, and that includes creating a second question like you propose.

just use the 'split points' function to distribute the points among those you think have helped solve your problem.

Cheers.
0
 
newofficeAuthor Commented:
oh i c... while i was browsing through the questions i saw a lot of people do that. But anyways, I would give u both points.

Thanks!
0
 
meverestCommented:
yes, sometimes it happens, especially in the 'old days' but the riles have changed a bit in the last year or so.

Cheers.
0
 
GeorgeJacobsonCommented:
SSL and Server Performance - do not put on all pages
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 6
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now