Ssl – Does using SSL cause a significant performance hit

apache-2.2httpsperformanceSecurityssl

I'm trying to decide whether to use SSL for a webapp. It doesn't handle credit cards or financial data, but it does store information that should be private for personal/social reasons. There is also the usual user registration and login functionality that maybe should be protected.

I know that there is going to be some performance reduction with SSL because server and client have encrypt and decrypt. Also, from what I understand, encrypted data doesn't compress as much, so Apache's mod_deflate probably won't work as well.

How significant is the performance hit likely to be? I plan to do some testing, but nonetheless I'd be interested in any comments based on experience.

Best Answer

There's a noticeable performance hit on each connect for the PKI overhead. The actual data transfer, using symmetric keys, has relatively little overhead. Exact ratios and costs depend on your particular hardware/software stack.

In general, the overhead for transferring lots of data is small; the overhead for doing lots of small connects (https for lots of small images, for example) is much larger. You can pick and choose parts of a page to protect, it doesn't have to be all or none.

Do your tests and benchmarks, I suspect you'll find that the overall performance hit is small and tolerable.

Related Solutions

How much of a performance hit for https vs http for apache

For a quick&dirty test (i.e. no optimization whatsoever!) I enabled the simple Ubuntu apache2 default website (which just says "It works!") with both http and https (self-signed certificate) on a local Ubuntu 9.04 VM and ran the apache benchmark "ab" with 10,000 requests (no concurrency). Client and server were on the same machine/VM:

Results for http ("ab -n 10000 http://ubuntu904/index.html")

Time taken for tests: 2.664 seconds
Requests per second: 3753.69 (#/sec)
Time per request: 0.266ms

Results for https ("ab -n 10000 https://ubuntu904/index.html"):

Time taken for tests: 107.673 seconds
Requests per second: 92.87 (#/sec)
Time per request: 10.767ms

If you take a closer look (e.g. with tcpdump or wireshark) at the tcp/ip communication of a single request you'll see that the http case requires 10 packets between client and server whereas https requires 16: Latency is much higher with https. (More about the importance of latency here)

Adding keep-alive (ab option -k) to the test improves the situation because now all requests share the same connection i.e. the SSL overhead is lower - but https is still measurable slower:

Results for http with keep-alive ("ab -k -n 10000 http://ubuntu904/index.html")

Time taken for tests: 1.200 seconds
Requests per second: 8334.86 (#/sec)
Time per request: 0.120ms

Results for https with keep-alive ("ab -k -n 10000 https://ubuntu904/index.html"):

Time taken for tests: 2.711 seconds
Requests per second: 3688.12 (#/sec)
Time per request: 0.271ms

Conclusion:

In this simple testcase https is much slower than http.
It's a good idea to enable https support and benchmark your website to see if you want to pay for the https overhead.
Use wireshark to get an impression of the SSL overhead.

Ssl – Restrict Apache to only allow access using SSL for some directories

The SSLRequireSSL directive is what you're looking for.

Inside your <VirtualHost>, or at the top level if you're not using virtual hosts:

<Directory /topsecret>
  SSLRequireSSL
</Directory>

Or in .htaccess:

SSLRequireSSL

Best Answer

Related Solutions

How much of a performance hit for https vs http for apache

Ssl – Restrict Apache to only allow access using SSL for some directories

Related Topic