Steven M. Bellovin wrote:
As for CPU time -- remember that most web site visits are very short;
this in turn means that you have to amortize the SSL setup expense over
very few pages. I talked once with a competent system designer who
really wanted to use https but couldn't -- his total system cost would
have gone up by a factor of 10.
We handle the SSL decryption on the front-end load-balancers (hardware
assisted). For financial transactions the load-balancers also maintain
long-lived SSL connections to the webservers, that the decrypted data is
pipelined into. This avoids the expensive session setup and teardown on
the servers.
Sam
