tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Restricting SSL access within webapp
Date Mon, 04 Aug 2014 20:47:41 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 8/4/14, 11:34 AM, Mark H. Wood wrote:
> On Fri, Aug 01, 2014 at 07:54:03PM -0400, David Kerber wrote:
>> On 8/1/2014 6:06 PM, James H. H. Lampert wrote:
>>>>> Why would you want to do that?  Other than a few extra
>>>>> server CPU cycles, what's the harm in allowing SSL anywhere
>>>>> at the client's discretion?
>>> 
>>> I'm with Chuck on that one.
>>> 
>>>> From the docs:
>>>> 
>>>> Also, while the SSL protocol was designed to be as efficient
>>>> as securely possible, encryption/decryption is a
>>>> computationally expensive process from a performance
>>>> standpoint.
>>> 
>>> Well, I'll say that I find it rather irritating, when on my
>>> dial-up (YES, DIAL-UP) at home, that Google unilaterally
>>> insists on HTTPS unless you're signed on, and explicitly opt
>>> out of it.
>>> 
>>> But then again, there are a LOT of web sites that are
>>> immensely bandwidth-intensive, and actively hostile to older
>>> browsers (that may nonetheless be the newest browsers available
>>> for a given combination of hardware and OS), all for no good
>>> reason (other than adware and spyware), and SSL is only a small
>>> part of that unnecessary waste of bandwidth.
>>> 
>>> But that said, I think that when there's no overriding security
>>> reason to require SSL, and no overriding bandwidth limitation
>>> reason to prohibit it, it should be the user's call on whether
>>> to use HTTP or HTTPS.
>> 
>> I don't think the problem is so much bandwidth as it is server
>> CPU. Encryption and decryption are very cpu-intensive tasks.
> 
> Negotiating the session key is expensive, but it happens once per 
> short session, and at long intervals for a long session.  Most of
> the session uses symmetric encryption, which is far, far cheaper.

+1

Encryption is more expensive than /not/ encrypting, but it's much
harder on the server (many connections) than it is on the client
(single-digit). Since these days, everyone is disabling compression
for SSL, the biggest problem for a dial-up connection for SSL would be
the increased payload size.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJT3/FtAAoJEBzwKT+lPKRY7lMP/1NCWSHwdY0NzitW8p/mfqdG
fkXwSGwzG26n6sC/vgdh1i1QA0nzqZvztCO1nMMLXhrvL4goh7WtbTH9n0Duv18X
TQM5sNhG/GSjx3fSRFeVSW/fwjvNa5p4y1Wrsu2Ax/wRZn2Z43HmdFscy3WhbTL1
PRB5oXjLOj2p7kOY8uo/GZns1D6zCnAh5i2ElGACfvqWXa6h39wZZ5jYNSioatAk
rfMcbw4z0zHUEvRhmsckm5WrLLwuvJN+xOHlITW2D1hh1NV8cAKjp7gCngkuo/4l
H14gGrq+LsWjjPfuE7xKzqrFtT+6FuvIJbPvmdIey95pi1joF9FUT5oB6LxVaWO0
0iijDHnGcbI2da1sa0zR6RWkqh7tx6zxxskeZk+SGEyclHjleX9BIkEN+zX5lIhp
bamoKljgSCnvuW7WNVSd6qxbXqkv9r8SmSiLEVdBFdHQXLLeyV3UY25M2XshQTDe
8RQbeO3yqHz5+KEWl+9L+XOt58MHDUEppbKcBJe6Vqme4BNuPOcFn63sqAq2HCi3
my0M2kJJjv5n7CtWCDRLiXzt1S3dvC7rO5wggp9hh4NP0T7zaw454EHlNihfUElg
zDvU5PDNdvguT5/ICO9PTR6EhE4O8ngrYLYxgyxwXBE8jWGpq7JozQ8wBhp5rdLX
3qmKrlMdCDbh/3gd+ELr
=A92+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message