SSL and Performance

[Ryan Ternier]

My Company is looking to implement SSL encryption on a few of our
software projects.

We deal mostly with local governments so information needs to be secure
between the client and our servers.


We've heard SSL can be costly on the initial handshake.. how costly?

Our Server is currently:

Server 2000,
-running around 200 websites
-ASP and ASP.NET on the same machine

Total Server visits per day: 20,000 - 50,000

Total visits to the applications needing SSL : 1000-2000 (Depending on
how busy the city is).



Rternier
Code Monkey

 

[Brock Allen]

We've heard SSL can be costly on the initial handshake.. how costly?

Look at it this way: it's the cost of doing business if security is a requirement.
Now, this is a grossly simplified comment, but if there are places where
you need SSL then the cost is worth it. It does take more roundtrips to the
server initially and there is encryption/decryption overhead on both ends,
but if it's needed then it's the price you have to pay.

 

[Ryan Ternier]

Look at it this way: it's the cost of doing business if security is a
requirement. Now, this is a grossly simplified comment, but if there are
places where you need SSL then the cost is worth it. It does take more
roundtrips to the server initially and there is encryption/decryption
overhead on both ends, but if it's needed then it's the price you have
to pay.

And I 100% agree with you. However, my question is, with implementing
SSL, how will that affect our performance?

The reason I ask is because I, being the developer, must know if I need
to plan for extra servers, more RAM, etc.

I will implement SSL because we deal with highly sensitive Data, but I
need to know if it will kill the performance on our Live servers.

 

[Bruce Barker]

the additional ssl overhead is going to depend on the size of your pages,
and how mush cpu they take. ssl is handeled by iis. for example, to use ssl
on your images (which you will do to prevent the mixed mode error alert),
the cpu overhead will be high, say 10x, because there is so little cpu with
a simple file download. but an aspx page uses a more cpu, it may only be a
10%.

ssl uses also uses more network bandwith. you are correct, there is also
additional overhead in setting up the session, but again its cost will
depend on the page cost.

may sites offload the ssl to the firewall proxy anyway.

-- bruce (sqlwork.com)

 

[JiangZemin]

And I 100% agree with you. However, my question is, with implementing SSL,
how will that affect our performance?

The reason I ask is because I, being the developer, must know if I need to
plan for extra servers, more RAM, etc.

I will implement SSL because we deal with highly sensitive Data, but I
need to know if it will kill the performance on our Live servers.

Hi, you will see noticably more stress on servers that need to support SSL.
Youll definitely need better hardware than if you didnt need SSL. Doing
load testing as early as possible is always a good part of a plan.
There are hardware-based SSL accelerators out there to help reduce this, but
be aware that sometimes these vendors will claim that SSL degrades
performance by some insane percentage, to try to scare you into buying their
stuff.

heres some links:
http://cc.uoregon.edu/cnews/winter2002/boxes.html
http://www1.us.dell.com/content/topics/global.aspx/power/en/ps1q02_ssl?c=us&l=en&s=gen
http://www.scmagazine.com/products/index.cfm?fuseaction=GroupTestDetails&GroupId=5892

HTH,
Premier JiangZemin

 

[Joerg Jooss]

And I 100% agree with you. However, my question is, with implementing
SSL, how will that affect our performance?

The reason I ask is because I, being the developer, must know if I
need to plan for extra servers, more RAM, etc.

I will implement SSL because we deal with highly sensitive Data, but
I need to know if it will kill the performance on our Live servers.

Consider using hardware encryption/decryption -- so called SSL
accelerators (as offered by nCipher, Nortel, or others).

Cheers,