tags:

views:

232

answers:

3
Q: 

What is the overhead of using HTTPS compared to HTTP?

Hi,

I was reading this blog(http://googlepublicpolicy.blogspot.com/2009/06/https-security-for-web-applications.html) posted by google on not enabling HTTPS for gmail by default. One of the paragraph says as below.

Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users. We're also considering how to make this work best for other apps including Google Docs and Google Calendar (we offer free HTTPS for those apps as well).

I didn't understand what negative effects can there be, by shifting over to HTTPS. Is there a benchmarking done on the peformance of HTTP and HTTPS.

I feel that https actually involves some additional protocol messages initially and data encryption later on. Can't these issues be taken care by having SSL browser code to be loaded by default etc..

Thank you Bala

A: 

With HTTPS all traffic between the user and the server hosting the information is encrypted to be seen only by the user and the server. This makes it very difficult for a man in the middle attack. This requires additional resources on both sides to interpret what is being communicated.

Typically on high demand servers on HTTPS there is a limit to what sections of the site uses SSL or there are encryption cards that offload the encryption process.

monksy  2009-12-12 05:02:32
If the additional resources are only CPU bound, I feel that majority of the machines can handle that overhead. If it still is an overhead, then I feel it might be problem with implementation and a better implementation probably in kernel can be thought of.
Algorist  2009-12-12 05:06:53
With HTTPS there is an added layer of encryption per user. It will cut your performance down by a good factor.
monksy  2009-12-12 05:50:37
I am still confused. Which one is higher? Overhead of doing encryption or key exchange.Thanks.
Algorist  2009-12-14 19:30:31
I would say doing the encryption, since its per user/session.
monksy  2009-12-14 20:00:46
A: 

The major cost of https is generally the key exchange at the start of the session, which is CPU intensive. Hardward acceleration is available to handle this. If it is an EV cert then it will also need revocation checking. Actual encryption of the stream is relatively cheap. Sun Niagara II has "zero overhead" encryption which uses spare FPU cycles to do the processing.

Tom Hawtin - tackline  2009-12-12 05:25:07
the Sun Niagra processor line is horrible for encryption, unless (and only unless) you've recompiled to have SSL running using the encryption accelerators: the base CPU has 32 integer pipelines, but they all share one FPU - it's dog-ass-slow on encryption
warren  2009-12-14 15:42:42
Woah. Why would you not compile to have the OS handle SSL? That kind of seems a reasonable thing to me. The Niagara 1 did have a single FPU, but didn't have this feature. The Niagara 2 (which has been shipping in servers for over two years) has 8 FPUs - one per core. It seems an unusual workload that would always keep both floating point and encryption busy - probably one or the other is going to be trivial. http://en.wikipedia.org/wiki/UltraSPARC_T2
Tom Hawtin - tackline  2009-12-14 16:08:55
A: 

The overhead of https is entirely in the key-negotiation phase during the start of the session. If the keys are set to expire in short order, they may need to be renegotiated frequently.

However, if you're living on 128-bit SSL (most common that I've seen), key generation and exchange is a very short process.

Try timing it from two machines on a network - one connecting on SSL, and the other on plaintext: it's in the single-digit percentages, and only truly noticeable at the beginning of the session.

Browser-based activity is almost always user-bound, not machine-bound.

warren  2009-12-14 15:40:12

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security