You don't need the overhead, but how about the secrecy? Surely that is part of the assurance comes from SSL. Some folks in this group think that is the ONLY value of SSL. Would you give that up?
I'm just musing, based on a problem someone articulated. I'm not completely convinced it's a problem in practice - computational cycles are cheap - but I thought it was worth a discussion.
Random example of possible value: if I go to a website and see that microsoft have issued a security alert, I want to be sure it's them and the steps they tell me to take were written by them, but I don't need the connection to be secret.
Your SSL server will generally pick the ciphersuite with the strongest bulk encryption and the strongest MAC from those enabled on both the client and server. If you want your server to use the fastest alg's you must disable the stronger ones.
Right. So some performance improvement could be gained by disabling some of the stronger algorithms; you can then trade off security against speed, right the way down to 40-bit public key and 512-bit RSA.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
