SSL and Performance

Discussion in 'ASP .Net' started by Ryan Ternier, Mar 31, 2005.

  1. Ryan Ternier

    Ryan Ternier Guest

    My Company is looking to implement SSL encryption on a few of our
    software projects.

    We deal mostly with local governments so information needs to be secure
    between the client and our servers.


    We've heard SSL can be costly on the initial handshake.. how costly?

    Our Server is currently:

    Server 2000,
    -running around 200 websites
    -ASP and ASP.NET on the same machine

    Total Server visits per day: 20,000 - 50,000

    Total visits to the applications needing SSL : 1000-2000 (Depending on
    how busy the city is).



    Rternier
    Code Monkey
     
    Ryan Ternier, Mar 31, 2005
    #1
    1. Advertising

  2. Ryan Ternier

    Brock Allen Guest

    > We've heard SSL can be costly on the initial handshake.. how costly?

    Look at it this way: it's the cost of doing business if security is a requirement.
    Now, this is a grossly simplified comment, but if there are places where
    you need SSL then the cost is worth it. It does take more roundtrips to the
    server initially and there is encryption/decryption overhead on both ends,
    but if it's needed then it's the price you have to pay.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen
     
    Brock Allen, Apr 1, 2005
    #2
    1. Advertising

  3. Ryan Ternier

    Ryan Ternier Guest

    Brock Allen wrote:
    >> We've heard SSL can be costly on the initial handshake.. how costly?

    >
    >
    > Look at it this way: it's the cost of doing business if security is a
    > requirement. Now, this is a grossly simplified comment, but if there are
    > places where you need SSL then the cost is worth it. It does take more
    > roundtrips to the server initially and there is encryption/decryption
    > overhead on both ends, but if it's needed then it's the price you have
    > to pay.
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    >

    And I 100% agree with you. However, my question is, with implementing
    SSL, how will that affect our performance?

    The reason I ask is because I, being the developer, must know if I need
    to plan for extra servers, more RAM, etc.

    I will implement SSL because we deal with highly sensitive Data, but I
    need to know if it will kill the performance on our Live servers.
     
    Ryan Ternier, Apr 1, 2005
    #3
  4. Ryan Ternier

    Bruce Barker Guest

    the additional ssl overhead is going to depend on the size of your pages,
    and how mush cpu they take. ssl is handeled by iis. for example, to use ssl
    on your images (which you will do to prevent the mixed mode error alert),
    the cpu overhead will be high, say 10x, because there is so little cpu with
    a simple file download. but an aspx page uses a more cpu, it may only be a
    10%.

    ssl uses also uses more network bandwith. you are correct, there is also
    additional overhead in setting up the session, but again its cost will
    depend on the page cost.

    may sites offload the ssl to the firewall proxy anyway.

    -- bruce (sqlwork.com)


    "Ryan Ternier" <> wrote in message
    news:%...
    > My Company is looking to implement SSL encryption on a few of our software
    > projects.
    >
    > We deal mostly with local governments so information needs to be secure
    > between the client and our servers.
    >
    >
    > We've heard SSL can be costly on the initial handshake.. how costly?
    >
    > Our Server is currently:
    >
    > Server 2000,
    > -running around 200 websites
    > -ASP and ASP.NET on the same machine
    >
    > Total Server visits per day: 20,000 - 50,000
    >
    > Total visits to the applications needing SSL : 1000-2000 (Depending on how
    > busy the city is).
    >
    >
    >
    > Rternier
    > Code Monkey
     
    Bruce Barker, Apr 1, 2005
    #4
  5. Ryan Ternier

    JiangZemin Guest

    "Ryan Ternier" <> wrote in message
    news:%...
    > Brock Allen wrote:
    >>> We've heard SSL can be costly on the initial handshake.. how costly?

    >>
    >>
    >> Look at it this way: it's the cost of doing business if security is a
    >> requirement. Now, this is a grossly simplified comment, but if there are
    >> places where you need SSL then the cost is worth it. It does take more
    >> roundtrips to the server initially and there is encryption/decryption
    >> overhead on both ends, but if it's needed then it's the price you have to
    >> pay.
    >>
    >> -Brock
    >> DevelopMentor
    >> http://staff.develop.com/ballen
    >>
    >>
    >>
    >>

    > And I 100% agree with you. However, my question is, with implementing SSL,
    > how will that affect our performance?
    >
    > The reason I ask is because I, being the developer, must know if I need to
    > plan for extra servers, more RAM, etc.
    >
    > I will implement SSL because we deal with highly sensitive Data, but I
    > need to know if it will kill the performance on our Live servers.


    Hi, you will see noticably more stress on servers that need to support SSL.
    Youll definitely need better hardware than if you didnt need SSL. Doing
    load testing as early as possible is always a good part of a plan.
    There are hardware-based SSL accelerators out there to help reduce this, but
    be aware that sometimes these vendors will claim that SSL degrades
    performance by some insane percentage, to try to scare you into buying their
    stuff.

    heres some links:
    http://cc.uoregon.edu/cnews/winter2002/boxes.html
    http://www1.us.dell.com/content/topics/global.aspx/power/en/ps1q02_ssl?c=us&l=en&s=gen
    http://www.scmagazine.com/products/index.cfm?fuseaction=GroupTestDetails&GroupId=5892

    HTH,
    Premier JiangZemin
     
    JiangZemin, Apr 1, 2005
    #5
  6. Ryan Ternier

    Joerg Jooss Guest

    Ryan Ternier wrote:

    > Brock Allen wrote:
    > >> We've heard SSL can be costly on the initial handshake.. how

    > costly?
    > >
    > >
    > > Look at it this way: it's the cost of doing business if security is
    > > a requirement. Now, this is a grossly simplified comment, but if
    > > there are places where you need SSL then the cost is worth it. It
    > > does take more roundtrips to the server initially and there is
    > > encryption/decryption overhead on both ends, but if it's needed
    > > then it's the price you have to pay.
    > >
    > > -Brock
    > > DevelopMentor
    > > http://staff.develop.com/ballen
    > >
    > >
    > >
    > >

    > And I 100% agree with you. However, my question is, with implementing
    > SSL, how will that affect our performance?
    >
    > The reason I ask is because I, being the developer, must know if I
    > need to plan for extra servers, more RAM, etc.
    >
    > I will implement SSL because we deal with highly sensitive Data, but
    > I need to know if it will kill the performance on our Live servers.


    Consider using hardware encryption/decryption -- so called SSL
    accelerators (as offered by nCipher, Nortel, or others).

    Cheers,
    --
    http://www.joergjooss.de
    mailto:
     
    Joerg Jooss, Apr 1, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. 620
    Replies:
    2
    Views:
    1,011
    Murat Tunaboylu
    Jan 6, 2004
  2. CW
    Replies:
    2
    Views:
    526
  3. Sean Wolfe
    Replies:
    1
    Views:
    2,263
    Joerg Jooss
    Apr 28, 2005
  4. John Smith
    Replies:
    0
    Views:
    392
    John Smith
    Oct 5, 2006
  5. Pavel Smerk
    Replies:
    3
    Views:
    143
    Michal Suchanek
    Aug 15, 2006
Loading...

Share This Page