SSL is not computationally expensive anymore

Bruce Morton

A recurring theme in this blog is proper SSL deployment [1] [2] [3]. One of the push backs that we hear is that SSL brings a lot of overhead, so it only gets deployed when absolutely necessary. Well, that myth was busted about a year ago when Google switched of Gmail to HTTPS. An article by Adam Langley of Google detailed their experience.

Google did this with no additional machines and no special hardware. On their production frontend machines, SSL accounted for less than 1 percent of the CPU load; less than 10KB of memory per connection; and less than 2 percent of network overhead. Langley’s conclusion, “SSL/TLS is not computationally expensive anymore.” Langley re-stated this position in a post released yesterday entitled ‘Still not computationally expensive.’

Paul Rubens of eSecurity Planet explains the myth. “Ten years ago, each time you contacted a server using an SSL connection — for example to request a new Web page — the whole SSL certificate checking and public key crypto routine had to be carried out, and there is no question that this routine was computationally expensive. But these days, SSL has the ability to resume a previous SSL session, which, put simply, means that you only have to go through the whole SSL process once, and from then on the SSL connection is virtually computationally free.”

Go ahead, deploy SSL. The right way.

P.S. Here is another reference from Bob Lord. Bob’s bottom line: “In 2006, SSL is super cheap.” I think it’s even cheaper in 2011.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation