Often a web site/page contains or displays sensitive information about their users such as credit card number, account number and other confidential information. And this type of data needs to be defended and security must be provided for such sites. For this reason a web site/page is implemented over a secure socket layer to encrypt communications and to provide privacy.
SSL handshake means the authentication, negotiation using public and private key on cryptography
algorithms and stuff which inevitably happens for every single new connection. So a request being processed through SSL usually takes longer to complete than a request over an unencrypted communication. Thus creating significant overhead on performance when the site is being accessed by concurrent users.
To reduce the overhead on performance, it would be ideal to encrypt only those pages that has sensitive information rather than the whole web site. Consider an example of en eCommerce site which encrypts only the checkout page for payment and not the login, browse and other sections of the site. You can still reduce the overhead by using a separate hardware for cryptographic operations to perform and to reduce the load of computation expensive transactions.
Not using SSL is very bad but over using it is bad too.
No comments:
Post a Comment