Yngve Pettersen of Opera has written a great article on SSL Session Resume.
The SSL session resumption feature in the SSL/TLS protocol allows multiple connections to use the same negotiated secret key data to calculate encryption keys for the connection. This allows a secure connection to be re-established very quickly with no loss of security, since the data exchanged securely earlier is being reused.
Pettersen’s studies show that about 90 percent of websites resume sessions, while 10 percent do not. The “do not resume” list climbs to 29 percent when just the Alexa Top 100 Sites are probed. This includes popular sites such as Yahoo!, Live.com, Twitter, MSN and eBay. The irony is that popular sites stand to benefit the most as they are more likely to require multiple connections to the same user throughout the day, especially when compared to unpopular sites.
The benefits of SSL session resumption? Performance and cost-savings. The server-side part of an SSL full-session negotiation is CPU-intensive. This translates into performance latency, which can be mitigated by adding more servers. More servers mean more cost in power, air conditioning and hardware. Enabling SSL Session Resume will increase performance and lessen the need to add more servers.
Have you enabled SSL Session Resume on for your site? If not, this may be something that you want to consider as it could be a win-win for you and your users.