Comments on: How SSL/TLS is broken, socially http://www.megginson.com/blogs/quoderat/2005/08/20/how-ssltls-is-broken-socially/ what was Thu, 18 Mar 2010 13:00:00 +0000 http://wordpress.org/?v=2.5.1 By: protocol7 » Blog Archive » links for 2006-12-04 http://www.megginson.com/blogs/quoderat/2005/08/20/how-ssltls-is-broken-socially/#comment-17752 protocol7 » Blog Archive » links for 2006-12-04 Mon, 04 Dec 2006 12:17:42 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-17752 [...] How SSL/TLS is broken, socially (tags: authentication SSL security encryption by:david_megginson) [...] [...] How SSL/TLS is broken, socially (tags: authentication SSL security encryption by:david_megginson) [...]

]]> By: M. David Peterson http://www.megginson.com/blogs/quoderat/2005/08/20/how-ssltls-is-broken-socially/#comment-1196 M. David Peterson Sun, 21 Aug 2005 05:25:46 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-1196 See CACert.org See CACert.org

]]> By: Jay Carlson http://www.megginson.com/blogs/quoderat/2005/08/20/how-ssltls-is-broken-socially/#comment-1194 Jay Carlson Sun, 21 Aug 2005 02:39:25 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-1194 Without identity information provided by authentication, who are you encrypting to? If you think I'm being needlessly Socratic, see http://www.evilscheme.org/defcon/ . Without identity information provided by authentication, who are you encrypting to?

If you think I’m being needlessly Socratic, see http://www.evilscheme.org/defcon/ .

]]> By: Aristotle Pagaltzis http://www.megginson.com/blogs/quoderat/2005/08/20/how-ssltls-is-broken-socially/#comment-1192 Aristotle Pagaltzis Sun, 21 Aug 2005 02:16:00 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-1192 I wish. :-( I’m afraid it’s not a subject of direct interest for me. I remember the figure because I was impressed by the discrepancy every time I saw a mention in an article in <a href="http://www.heise.de/ix/" rel="nofollow">iX</a> (or maybe <a href="http://www.heise.de/ct/" rel="nofollow">c’t</a>; they’re <em>the</em> two German computer magazines). I at least skim almost everything they write about, whether it’s of direct interest or not. This number came up at least thrice over time. Shame that I don’t have the first clue where to go looking for a citation… :-( It would be in German anyway, but it would provide a starting point at least, whereas all my attempts to wrestle something out of Google were in vain. The obvious keyword combinations result in a sea of vendor ads and product whitepapers, but nothing of value. I wish. :-( I’m afraid it’s not a subject of direct interest for me. I remember the figure because I was impressed by the discrepancy every time I saw a mention in an article in iX (or maybe c’t; they’re the two German computer magazines). I at least skim almost everything they write about, whether it’s of direct interest or not. This number came up at least thrice over time. Shame that I don’t have the first clue where to go looking for a citation… :-(

It would be in German anyway, but it would provide a starting point at least, whereas all my attempts to wrestle something out of Google were in vain. The obvious keyword combinations result in a sea of vendor ads and product whitepapers, but nothing of value.

]]> By: david http://www.megginson.com/blogs/quoderat/2005/08/20/how-ssltls-is-broken-socially/#comment-1191 david Sat, 20 Aug 2005 20:26:26 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-1191 That's a great comment, Aristotle -- thanks. I would have expected to see a difference of around one order of magnitude, not three. Can you point me to a good source where I can get more performance information? That’s a great comment, Aristotle — thanks. I would have expected to see a difference of around one order of magnitude, not three. Can you point me to a good source where I can get more performance information?

]]> By: Aristotle Pagaltzis http://www.megginson.com/blogs/quoderat/2005/08/20/how-ssltls-is-broken-socially/#comment-1190 Aristotle Pagaltzis Sat, 20 Aug 2005 19:35:13 +0000 http://www.megginson.com/blogs/quoderat/?p=61#comment-1190 Don’t forget another factor: encryption requires a protracted handshake and lots of CPU cycles. The peak simultaneous request rate that a webserver can handle is typically <em>three orders of magnitude</em> greater for unencrypted connections than for encrypted ones. Since each connection has to be encrypted invidually, you can’t just throw cheap machines doing reverse proxy duties at the problem either – the easiest to maintain and most cost effective way to scale a service. You need big, expensive hardware, because servers pushing encrypted content down the wire end up CPU-bound, not I/O-bound. For low-volume sites, the problem isn’t even on the radar. But for small outfits running sites with moderate but not insignificant traffic, it is a serious concern. You have to choose carefully how much content is served securely; encryption unfortunately isn’t free. Don’t forget another factor: encryption requires a protracted handshake and lots of CPU cycles. The peak simultaneous request rate that a webserver can handle is typically three orders of magnitude greater for unencrypted connections than for encrypted ones.

Since each connection has to be encrypted invidually, you can’t just throw cheap machines doing reverse proxy duties at the problem either – the easiest to maintain and most cost effective way to scale a service. You need big, expensive hardware, because servers pushing encrypted content down the wire end up CPU-bound, not I/O-bound.

For low-volume sites, the problem isn’t even on the radar. But for small outfits running sites with moderate but not insignificant traffic, it is a serious concern. You have to choose carefully how much content is served securely; encryption unfortunately isn’t free.

]]>