Re: Authentication over HTTP

On Jul 15, 2013, at 2:02 AM, "Yoav Nir" <ynir@checkpoint.com> wrote:

> 
> On Jul 15, 2013, at 11:37 AM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> 
>> 
>> That's like saying "transportation is non-issue, because Bill Gates
>> have a private jet."
>> 
>> Not everybody has Google and FaceBook's globally distributed resources,
>> nor their laser-like focus on delivering web-content.
> 
> Not so. A pretty low-end server, say 4 cores, can handle 250 full handshakes per second, and can easily saturate a 1Gbps link.
> 
> That's with a default Apache and OpenSSL installation. If your website needs more than this, then you may not be in the class of Google and Facebook, but you're way beyond the personal blog / local store crowd.
> 
> It is true that content delivery networks charge a premium for things protected by TLS. I think that has more to do with signaling than actual costs.
> 
> Yoav
> 

And that premium comes directly from cost. 

There is still a big gap between "TLS is totally free" and what we have today. 250 handshakes a second is a big difference from the 2500 connection o more you can get without. The march to 2048 makes that worse, and luckily advances like ECC help bring it some of the way back. When you then consider the excess requirements of having sufficient resources to gracefully withstand a DDoS, the problem is compounded. 

All that said, you have not heard me preaching against the growing adoption of TLS. I think it is a "good thing" despite the pain associated with it. I firmly believe, however, that as long as there is some incremental cost with TLS there will be someone whose business wants to avoid that cost affecting their margins and will look for a non-TLS alternative. These discussions have been hashed and rehashed since SPDY was introduced, however, and I doubt there is much new to add to them at this point. 

-stephen

Received on Monday, 15 July 2013 14:38:40 UTC