Re: Lowest encryption setting?

Fri, 21 Jan 2000 08:57:42 -0800 

"Joseph R. Junkin" <[EMAIL PROTECTED]> writes:

> EKR wrote:
> > Now, not all 56-bit modes are equally fast. RC4 in 56 mode
> > (one of the experimental cipher suites)
> 
> All I am concerned with right now are what is supported by typical IE
> and Netscape users, both US and non-US.
> So then should I not be concerned with RC4 then because it is
> experimental?
I didn't say that. What I said was that RC4-56 was experimental.
On the other hand, you might as well support it because it
isn't any slower.

> > is going to be much
> > faster than DES-56. On the other hand 3DES (168 bit) is going
> > to be 3 times as slow as DES.
> 
> Does the typical browser support 3DES? I thought 128 bit encryption was
> it for the moment.
Yes, the domestic browsers typically support 3DES.

> > > Bottom line, what is/are the setting(s) that will place the lowest
> > > possible load on my server, assuming that I already have my certificate
> > > (www.datafree.com)?
> > I think youre overrating the effect of the symmetric cipher
> > on server load. 
> 
> Could be, but doesn't SSL add quite a bit compared to non-SSL?
Yes, but it's the asymmetric cipher (RSA) that adds the load
if you're doing alot of connections but not a lot of data per
connection.

> >Do you know that load is a problem?
> 
> No, it is not yet. I am providing a free service with information that
> can be *read* by guests, unencrypted via non-SSL. So encrypting the data
> just doesn't matter.
> Yet when users want to contribute or update their own information, they
> must login.
> Users may also be administrators, so I want pretty good security for the
> login as well as the session.
> I have designed this with secure cookies and it seems to work well.
The encryption in SSL is the same from client to server as from
server to client. If you're using passwords or cookies, then you
should be concerned with having good encryption since you don't
want them sniffed.

-Ekr

-- 
[Eric Rescorla                                   [EMAIL PROTECTED]]
          PureTLS - free SSLv3/TLS software for Java
                http://www.rtfm.com/puretls/
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to