SSL is killing the Web interactivity

It is well-known that the server performance degrades considerably for SSL transactions compared to the non-SSL case. However, many people running Web servers are (mis)using SSL for a lot of not-security-critical content. In most cases this leads sever overloading and unacceptable long waiting times for the clients. The best example of this is probably SourceForge.net, whose servers are overloaded 100% of the time as they are using SSL for almost all of the administration tasks. Most of these tasks are not security critical, but they are time critical to many of us. Using SSL for them is like wearing a firefighter’s full turn out gear to protect you from getting a minor burn when having a family barbecue. It is overkill.

As for me, I am starting to graw tiered of waiting for Web pages to load over HTTPS. It takes so long that I sometimes give up before it’s done. If there was a way to disable SSL for services like SourceForge.net, I would do it right away. The productivity decrease is so high with SSL that I am ready to give away security just to be able to get my work done.

Important Facts:

  • SSL increases computational cost of transactions by a factor of 5 to 7
  • On a 1.4 GHz Xeon machine the computational demand of an initial handshake is around 175 ms and that of a resumed handshake is around 2 ms.
  • RSA computations are the single most expensive operation in TLS, consuming 20-58% of the time spent in the web server.

Further Reading:

  1. V. Beltran, J. Guitart, D. Carrera, J. Torres, E. Ayguadé and J. Labarta, Performance Impact of Using SSL on Dynamic Web Applications., XV Jornadas de Paralelismo, pp. -, Almeria, Spain. September 15-17, 2004. PDF File (144 KB)
  2. Kant, K., Iyer, R., & Mohapatra, P. (2000). Architectural impact of secure socket layer on Internet servers. Computer Design, 2000, International Conference, 7-14. PDF File (248 KB)

  3. C. Coarfa, P. Druschel, and D. Wallach. Performance analysis of TSL web servers, 2002. PDF File (144KB)

  4. H. Xubin, A Performance Analysis of Secure HTTP Protocol. PDF File (154 KB)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: