"Christopher G. Petrilli" wrote:
Based on real-world benchmarks, SSL generally has a order of magnitude impact (sometimes more) on performance... the key negotiation is a huge CPU burdon, and must be perfomred with the start of each SSL session (which under HTTP/1.0 is every HTTP query)... what I've recommended to a lot of people doing "high performance" servers is to use SSL to gather UID/password, then issue a "ticket" (aka cookie) that is valid, and then let the cookie be passed around. While this isn't 100%, and does allow for certain types of replay/mim vectors, it does provide a good bit more real world security than passing uids in the clear.
Interesting. I was estimating that our hit was more like 2:1, but I'm sure it would degrade in the absence of a multiprocessor server ;-) Are you implementing such a policy (above) using Zope? I'd be very interested to hear more. Regards, Jeff Bauer Rubicon, Inc.