ssl for entire website

I heard at one point that it was a resource hog to force https over an entire website.  What is the lastest on this?  What are the potential downfalls of doing this?
Who is Participating?
Dave HoweSoftware and Hardware EngineerCommented:
That is literally true (although not an issue usually in practical terms). An SSL connection (without SSL acceleration) uses, on average, 3x the resources (cpu & memory mostly) as a plain HTTP connection.

However, that is usually a drop in the ocean compared to overheads due to other resources such as database or executable code (the cached dot-net assemblies for for example are huge, bloated resource hogs that dwarf connection space by an order of magnitude) unless you are running under such a load ratio that there is a queue of connections waiting for a worker thread.

I would suggest a policy of suck-it-and-see - if you turn it on, and load increases to an amount unacceptable for the load profile, then look at offloading the ssl to a frontend box.

Otherwise, just let it run, as sales of ssl acceleration for the real world are near-nonexistent these days (the warnings mostly come from an era of poor cpu resource, when handling 2048 bit RSA was a significant load) *except for* large hosting farms, where that CPU is a shared resource that can be more profitably sold to customers if dedicated SSL hardware is used to remove that load from the CPU.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.