It is well-known that the server performance degrades considerably for SSL transactions compared to the non-SSL case. However, many people running Web servers are (mis)using SSL for a lot of not-security-critical content. In most cases this leads sever overloading and unacceptable long waiting times for the clients. The best example of this is probably SourceForge.net, whose servers are overloaded 100% of the time as they are using SSL for almost all of the administration tasks. Most of these tasks are not security critical, but they are time critical to many of us. Using SSL for them is like wearing a firefighter’s full turn out gear to protect you from getting a minor burn when having a family barbecue. It is overkill.
As for me, I am starting to graw tiered of waiting for Web pages to load over HTTPS. It takes so long that I sometimes give up before it’s done. If there was a way to disable SSL for services like SourceForge.net, I would do it right away. The productivity decrease is so high with SSL that I am ready to give away security just to be able to get my work done.
- SSL increases computational cost of transactions by a factor of 5 to 7
- On a 1.4 GHz Xeon machine the computational demand of an initial handshake is around 175 ms and that of a resumed handshake is around 2 ms.
- RSA computations are the single most expensive operation in TLS, consuming 20-58% of the time spent in the web server.
- V. Beltran, J. Guitart, D. Carrera, J. Torres, E. Ayguadé and J. Labarta, Performance Impact of Using SSL on Dynamic Web Applications., XV Jornadas de Paralelismo, pp. -, Almeria, Spain. September 15-17, 2004. PDF File (144 KB)
Kant, K., Iyer, R., & Mohapatra, P. (2000). Architectural impact of secure socket layer on Internet servers. Computer Design, 2000, International Conference, 7-14. PDF File (248 KB)
C. Coarfa, P. Druschel, and D. Wallach. Performance analysis of TSL web servers, 2002. PDF File (144KB)
H. Xubin, A Performance Analysis of Secure HTTP Protocol. PDF File (154 KB)