Gervase Markham wrote:
Say I'm a website owner who wants to give my users the assurance that
(theoretically; let's not go there right now) comes with an SSL
connection, but don't want or need the overhead of encryption.
You don't need the overhead, but how about the secrecy?
Surely that is part of the assurance comes from SSL.
Some folks in this group think that is the ONLY value of SSL.
Would you give that up?
Would it be possible (i.e. what would the side effects be) to enable the
null cyphers in our SSL implementation, assuming that we made it so that
using them didn't invoke the lock?
Try it and see. mozilla 1.7.x provides UI to enable the null ciphers.
With FF, I think you can use about:config to enable
security.ssl3.rsa_null_md5
security.ssl3.rsa_null_sha
Would that have much effect on server computational load, or is the
encryption and decryption not where most of the cycles go?
Depends on the ciphersuite and other factors.
If individuals tend to visit your website only once per day (one page per
visitor per day, one https connection per visitor per day) and your pages
are relatively small, then your dominant cost will likely be the cost of
the RSA operations. You can get RSA accelerators for that (PCI cards for
your box).
If individuals tend to visit your website numerous times each day, or the
pages are large (e.g. lxr.mozilla.org :), then your dominant cost will be
the combination of bulk encryption and MACing (keyed hashing).
SSL offers a wealth of different bulk encryption algorithms and several
MAC algorithms. Some of these are more costly than others. The cheapest
bulk encryption algorithm (by far) is RC4. The cheapest MAC algorithm
uses the MD5 hash. SHA1 is consderably slower, about twice as slow as
RC4 encryption.
Your SSL server will generally pick the ciphersuite with the strongest
bulk encryption and the strongest MAC from those enabled on both the
client and server. If you want your server to use the fastest alg's
you must disable the stronger ones.
Gerv
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
