SSL Session Resume

June 28, 2011 by Bruce Morton     No Comments

Yngve Pettersen of Opera has written a great article on SSL Session Resume.

The SSL session resumption feature in the SSL/TLS protocol allows multiple connections to use the same negotiated secret key data to calculate encryption keys for the connection. This allows a secure connection to be re-established very quickly with no loss of security, since the data exchanged securely earlier is being reused.

Pettersen’s studies show that about 90 percent of websites resume sessions, while 10 percent do not. The “do not resume” list climbs to 29 percent when just the Alexa Top 100 Sites are probed. This includes popular sites such as Yahoo!, Live.com, Twitter, MSN and eBay. The irony is that popular sites stand to benefit the most as they are more likely to require multiple connections to the same user throughout the day, especially when compared to unpopular sites.

Image credit to Yngve Pettersen, Opera Software

The benefits of SSL session resumption? Performance and cost-savings. The server-side part of an SSL full-session negotiation is CPU-intensive. This translates into performance latency, which can be mitigated by adding more servers. More servers mean more cost in power, air conditioning and hardware. Enabling SSL Session Resume will increase performance and lessen the need to add more servers.

Have you enabled SSL Session Resume on for your site? If not, this may be something that you want to consider as it could be a win-win for you and your users.

Filed Under:
Tagged With:

About

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

Add to the Conversation