|
| Home | Accessibility | Courses | Diary | The Mouth | Forum | Resources | Site Map | About Us | Contact |
| For 2023 (and 2024 ...) - we are now fully retired from IT training. We have made many, many friends over 25 years of teaching about Python, Tcl, Perl, PHP, Lua, Java, C and C++ - and MySQL, Linux and Solaris/SunOS too. Our training notes are now very much out of date, but due to upward compatability most of our examples remain operational and even relevant ad you are welcome to make us if them "as seen" and at your own risk. Lisa and I (Graham) now live in what was our training centre in Melksham - happy to meet with former delegates here - but do check ahead before coming round. We are far from inactive - rather, enjoying the times that we are retired but still healthy enough in mind and body to be active! I am also active in many other area and still look after a lot of web sites - you can find an index ((here)) |
HTTPS / SSL overhead, and cookies
Posted by Custard (Custard), 6 January 2004
First, Happy new year to all!!Ok. Heres a quick question about HTTPS/SSL.
What we want to do is send messages using SOAP, but encrypted so as to prevent spoofing & fraudulent messages etc.
So, it occurred that HTTPS would be a good thing, as it's well established, must be pretty secure (banks use it for cc authentication).
But.. my boss reckons that theres too much overhead in using it in establishing the connection.
Now, I'm no expert with HTTPS, but I am assuming that there is an initial set of transactions to negotiate the link, after which a cookie (session_id or whatever) is set.
So I'm hoping that there will only be 1 long setup transaction then subsequent transactions within the session will still be encrypted, but faster.
So, if as long as https transactions occur within the session timeout period there shouldn't be a need to set the session up again.
This just HAS to be a better way than doing our own encryption on the message (doesn't it?)
What I'd like to know is if this is this a correct interpretation of what I've read about HTTPS so far?
Cheers,
Bruce
Posted by admin (Graham Ellis), 12 January 2004
Been doing a bit of reading too ... and I get somewhat conflicting answers. I did read one snippet that referred to "the overhead of encoding and decoding" and suggested that SSL be used only for the exchanges within a series for which security is vital, which kindof implies that it's the encoding rather than the (initial?) setup of an SSL connection that causes a performance hit. Hmm - I'm not sure if that helps; any way you can set up a benchmark test that will emulate your loadings under HTTP and then under HTTPS and see how it works in something close you your case? Is your application all protocol / transfer and very little real work (in which case the efficiency could be an issue), or is there a substantial application with relatively small protocol exchanges (in which case any efficiency hits may go un-noticed in the grand scheme of things!)Posted by Custard (Custard), 12 January 2004
Hi Graham,Your last case applies. I'm not working on this myself, but have done some legwork on it, and after we got SSL/HTTPS working, there doesn't seem to be a speed issue at all.. yet. The level of load is about 0.5 short (<1k) messages a second. I'm sure with more load the cpu would have to do more work naturally.
I'm happy with it, but the powers that be are looking at other things like VPN or some other encryption.
I still think HTTPS is the way to go though.
Thanks again. It's nice to have someones opinion.
Bruce
This page is a thread posted to the opentalk forum
at www.opentalk.org.uk and
archived here for reference. To jump to the archive index please
follow this link.
Other Forum Posts
Follow us on ...
 |  |  |
PH: 01144 1225 708225 • FAX: 01144 1225 793803 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho