WebApp Sec mailing list archives
Re: Idea for making SSL more efficient
From: "Kurt Seifried" <bt () seifried org>
Date: Sat, 17 Jul 2004 20:44:07 -0700
Kurt Seifried wrote:
Highly flawed, requires HUGE changes to proxy software, and to client software, which will never happen, even assuming it does there's still several potential avenues of attack. My advice: buy an SSL accelerator
like
everyone else does, you can get them as cheap as 100$ or so now for a PCI card.
You would need to 100% guarentee the proxy doesn't serve old versions of images, otherwise users will get nasty error messages saying content is being played with/etc. I have Squid running on several servers and on some pages it keeps getting old ones from servers despite them changing (not sure how to force Squid to stop doing this), sometimes a ctrl-refresh in the browser gets Squid to behave, sometimes not. I imagine other proxy software interaction with certain servers/etc has similar problems. This would suck for users. Frank wrote:
1. That SSL's only performance issue is compute time. It isn't (plus the
You'd have to benchmark this, but in my experience properly setup SSL adds very minimally to overhead, especially with crypto cards, disk IO and network latency is still your big issues.
2. That you have to modify *every* browser if anything is added to the
SNIPPAGE
it's (a) already happened umpteen times, and (b) no sign it will stop happening any time soon.
Checking my log files for seifried.org (~100,000 visits a month) the top 98% of browsers are MSIE or googlebot, with Netscape/Mozilla/variants coming in at less then a percent. Unless you get MS to back this you gain at most a few % savings of a few percent (single digits) of the browsers. Plus all the browsers that do NOT support it spit up nasty "you are downloading mixed content, it may be insecure blahblah" messages. So assiming you get 10% supported, the other 90% get nasty warning messages, unless you generate pages based on the user agent reported.
- Frank
Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Current thread:
- Re: Idea for making SSL more efficient, (continued)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 17)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- RE: Idea for making SSL more efficient V. Poddubnyy (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 17)
- RE: Idea for making SSL more efficient Scovetta, Michael V (Jul 16)
- RE: Idea for making SSL more efficient Michael Howard (Jul 16)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 16)
- Re: Idea for making SSL more efficient Jason Coombs PivX Solutions (Jul 16)
- RE: Idea for making SSL more efficient Michael Howard (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)