Solved

Web server SSL Overhead

Posted on 2010-11-10
3
695 Views
Last Modified: 2012-05-10
Hello All,

I'm building a very high volume web site which needs to be as lean and mean as possible.  The site will be sustained by advertising so it needs to be very efficient.  What kind of performance overhead is accepted by using SSL protection?  How much more server memory, CPU, and bandwidth will be consumed if I use SSL for each user's session?

(I'm using IIS7 configured as a web farm; via SQL Server state management)
0
Comment
Question by:Phil5780
3 Comments
 
LVL 25

Accepted Solution

by:
Rouchie earned 250 total points
ID: 34109657
This question gets asked quite frequently, but unfortunately the figures vary depending on the nature of the site.  Some people estimate that HTTPS is approximately 10 times slower than HTTP, however, this delay is caused by the initial handshake process (when the client and server exchange encryption data) rather than the transfer of files.

This site http://stackoverflow.com/questions/149274/http-vs-https-performance recommends that you create the site then use a profiler tool to check the resource usage (first with HTTP, then HTTPS).

I run a very large web application that is entirely delivered using HTTPS.  I can't say I've really noticed any difference is resource usage, or speed, although I am sure there is some to a degree.

Does your entire app need to use HTTPS, or can you switch to HTTPS for particular elements such as login, account admin, payment?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 250 total points
ID: 34111030
Bandwidth, I am assuming you are talking network, is not really effected by SSL.  

CPU, the big hit in CPU is (as Rouchie stated) the initial handshake.  The overhead of doing the actual encryption/decryption is not that much and depends on the same of the pages. So it depends on how many SSL connections you are going to be doing.  When you read about SSL transactions per second this is typically referring to SSL handshakes per second,  not the number of "https" hits.

Memory usage will vary.  It depends on the size of the pages (actually the individual files that make up the pages) you are serving.  Since you need to hold the page in memory twice for a small time period memory utilization will increase.  However, since most files are small it should not matter that much.


Going down the path Rouchie started, only encrypt what you must.  In fact since the site will be sustained by advertisements, I would suggest that if possible the adds are served up by a server other than the app server and none of the ads should be encrypted.  Now if the page is encrypted this will cause the dreaded "mixed" content messages.
0
 

Author Closing Comment

by:Phil5780
ID: 34160502
SSL is unnecessary then for my site.  It just add unnecessary security for data that's just not that important.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now