I'm trying to decide whether to use SSL for a webapp. It doesn't handle credit cards or financial data, but it does store information that should be private for personal/social reasons. There is also the usual user registration and login functionality that maybe should be protected.
I know that there is going to be some performance reduction with SSL because server and client have encrypt and decrypt. Also, from what I understand, encrypted data doesn't compress as much, so Apache's mod_deflate
probably won't work as well.
How significant is the performance hit likely to be? I plan to do some testing, but nonetheless I'd be interested in any comments based on experience.
If you are worried about performance, then SSL should only be apart of your overall strategy. I manage several sites for some fortune-5 companies that see millions of hits per day and thousands of unique visitors and we don't use any SSL off loading. We've found that most of our loading concerns are focused on the code base and 3rd party libraries we use (.NET, Java mostly).
So if you're concerned about SSL load, don't be unless you also have concerns with other aspects such as the code performance under heavy traffic that you're also dealing with. And load here really means memory foot print and CPU... It's easy to fix traffic loads; it's these other loads that mostly matter or come into play first.
There's a noticeable performance hit on each connect for the PKI overhead. The actual data transfer, using symmetric keys, has relatively little overhead. Exact ratios and costs depend on your particular hardware/software stack.
In general, the overhead for transferring lots of data is small; the overhead for doing lots of small connects (https for lots of small images, for example) is much larger. You can pick and choose parts of a page to protect, it doesn't have to be all or none.
Do your tests and benchmarks, I suspect you'll find that the overall performance hit is small and tolerable.
Yes, it does cause a degree of load, and is worth offloading to a load balancer with SSL modules installed. However if you must use a server, any load it created worth its weight if you are dealing with any sensitive data, although whether personal information is considered sensitive is a different question (apart from login, social networks don't tend to use https).
Try ab for stress testing over HTTP vs HTTPS to see the difference, and be sure to only enable mod_ssl in the :443 sections in your
vhost.conf
etcSSL has its own compression protocols, the client use of which you can monitor. To increase speed of requests, be sure to use SSL Session Caching
There will be a slight performance hit, which is why typically most websites only require SSL on the registration and login forms to make sure data is sent securely, after which browsing resumes without SSL.