The answer to your questions depends very much on what you wish to protect.
If you are only interested in protecting the user's login details, then you
could use SSL for just that (Yahoo! mail does something like this when you
request "secure" login"). Obviously, if you want to protect all data, you'll
be using SSL throughout. The exact method you use for login doesn't really
matter, since everything transmitted over SSL should be secure.
You are indeed correct that the initial key exchange, otherwise known as the
SSL session setup, takes a lot of processing. However, because Internet
Explorer (known privately to most people on this list as
aaaaaaaaaaaeeeeeeeeeeeeeeeeee!) doesn't handle keep-alives over SSL
properly, it is necessary to force the browser to renegotiate for every
document or image that uses SSL. I have SSL logs full of IE renegotiates,
and often have a server that is running slowly. So if your site has a lot of
SSL traffic and you are allowing IE users to connect, you have a couple of
options.
1. Get Microsoft to fix IE to work properly with SSL. My guess is that
they'll have to fix IIS as well.
2. Invest in some kind of SSL acceleration. There are some details about
this at http://www.kegel.com/ssl/. I would personally like to try out the
Rainbow Cryptoswift card. If I ever do I'll be keeping this list informed of
my success or failure with it.
I think you'll have more success with the second one though!
-
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
