SSL性能影响 [英] SSL performance implications

问题描述

可能重复：

SSL会产生多少开销？

I最近与一位开发人员进行了对话，他告诉我在网站范围内实施SSL会使服务器上的负载增加300倍。这真的可信吗？我目前在所有页面上都使用SSL，我们每天都有数千名用户访问系统而没有任何明显的延迟。我们使用的是IIS 7服务器。

I recently had a conversation with a developer who told me that having SSL implemented site-wide puts 300 times the load on the server. Is this really credible? I currently use SSL across all pages and we have several thousand users accessing the system daily without any noticeable lag. We are using an IIS 7 server.

他的解决方案是仅在登录页面上使用SSL来保护登录凭据的传输。然后将它们重定向回HTTP ...这是一个好的做法吗？

His solution was to only use SSL on the login page to secure the transmission of the login credentials. Then redirect them back to HTTP...Is this good practice?

推荐答案

HTTPS的成本高昂就是握手，两者都是CPU（非对称加密操作更昂贵）和网络往返（不仅用于握手本身，还用于检查证书撤销）。在此之后，使用对称加密完成加密，这不应该对现代CPU施加很大的开销。有一些方法可以减少由于握手造成的开销（特别是，通过会话恢复，如果支持和配置）。

What's costly in HTTPS is the handshake, both in terms of CPU (the asymmetric cryptographic operations are more expensive) and network round trips (not just for the handshake itself, but also for checking the certificate revocation). After this, the encryption is done using symmetric cryptography, which shouldn't impose a big overhead on a modern CPU. There are ways to reduce the overhead due to the handshake (in particular, via session resumption, if supported and configured).

在许多情况下，它配置很有用静态内容也可以在客户端缓存（参见 Cache-Control：public ）。默认情况下，某些浏览器不会缓存HTTPS内容。

In a number of cases, it's useful to configure the static content to be cacheable on the client-side too (see Cache-Control: public). Some browsers don't cache HTTPS content by default.

使用HTTPS时，服务器的CPU负载增加300听起来没有正确配置。

Increasing the server's CPU load by 300 when using HTTPS sounds like something isn't configured appropriately.

他的解决方案是仅在登录页面上使用SSL来保护登录凭证的
传输。然后将它们重定向回
HTTP ...这是一个好习惯吗？

His solution was to only use SSL on the login page to secure the transmission of the login credentials. Then redirect them back to HTTP...Is this good practice?

许多网站都这样做（包括StackOverflow） ）。这取决于需要多少安全性。如果您这样做，只会保护凭据。攻击者可以窃听以普通HTTP传递的cookie（或类似的身份验证令牌）并使用它来模拟经过身份验证的用户。

A number of sites do this (including StackOverflow). It depends on how much security is required. If you do this, only the credentials will be secured. An attacker could eavesdrop the cookie (or similar authentication token) passed in plain HTTP and use it to impersonate the authenticated user.

从HTTP切换时需要非常小心到HTTPS或反过来。例如，一旦传递给普通HTTP，来自登录页面的身份验证令牌应被视为已泄露。特别是，您不能假设仍然使用该身份验证令牌的后续HTTPS请求来自合法用户（例如，不允许它编辑我的帐户详细信息或类似内容）。

Great care needs to be taken when switching from HTTP to HTTPS or the other way around. For example, the authentication token coming from the login page should be considered as "compromised" once passed to plain HTTP. In particular, you can't assume that subsequent HTTPS requests that still use that authentication token come from the legitimate user (e.g. don't allow it to edit 'My Account' details, or anything similar).

这篇关于SSL性能影响的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！