A recurring theme in this blog is proper SSL deployment   . One of the push backs that we hear is that SSL brings a lot of overhead, so it only gets deployed when absolutely necessary. Well, that myth was busted about a year ago when Google switched of Gmail to HTTPS. An article by Adam Langley of Google detailed their experience.
Google did this with no additional machines and no special hardware. On their production frontend machines, SSL accounted for less than 1 percent of the CPU load; less than 10KB of memory per connection; and less than 2 percent of network overhead. Langley’s conclusion, “SSL/TLS is not computationally expensive anymore.” Langley re-stated this position in a post released yesterday entitled ‘Still not computationally expensive.’
Paul Rubens of eSecurity Planet explains the myth. “Ten years ago, each time you contacted a server using an SSL connection — for example to request a new Web page — the whole SSL certificate checking and public key crypto routine had to be carried out, and there is no question that this routine was computationally expensive. But these days, SSL has the ability to resume a previous SSL session, which, put simply, means that you only have to go through the whole SSL process once, and from then on the SSL connection is virtually computationally free.”
Go ahead, deploy SSL. The right way.
P.S. Here is another reference from Bob Lord. Bob’s bottom line: “In 2006, SSL is super cheap.” I think it’s even cheaper in 2011.