[Zope] - Secure Server
Christopher G. Petrilli
petrilli@amber.org
Mon, 25 Jan 1999 13:23:36 -0500
On Mon, Jan 25, 1999 at 11:35:00AM -0600, Jeff Bauer wrote:
> Kevin's point is correct, despite how one particular browser and one
> particular server might maintain a persistent state. Robert is best
> advised to conduct his entire session via secure socket layer if
> the information is sensitive. Moreover, I think Robert's concern
> was the possible performance hit by using SSL rather than a
> regular socket connection. This hardly adds enough overhead
> to warrant dropping into an insecure session.
Based on real-world benchmarks, SSL generally has a order of magnitude
impact (sometimes more) on performance... the key negotiation is a huge
CPU burdon, and must be perfomred with the start of each SSL session
(which under HTTP/1.0 is every HTTP query)... what I've recommended to a
lot of people doing "high performance" servers is to use SSL to gather
UID/password, then issue a "ticket" (aka cookie) that is valid, and then
let the cookie be passed around. While this isn't 100%, and does allow
for certain types of replay/mim vectors, it does provide a good bit more
real world security than passing uids in the clear.
Christopher
--
| Christopher Petrilli
| petrilli@amber.org