server question

Re: server question

Marcus wrote:
[color=blue]
> Hi all,
>
> Quick question about using SSL... I am running PHP/MySQL/Apache, and
> currently am just using session variables to log users in. Obviously I
> would like to make this more secure, i.e. in conjunction with SSL, BUT I
> remember hearing awhile back that using SSL drastically cuts down the
> number of users a server can handle, and/or slows all accesses down, I
> would assume because of the whole encryption/decryption process. Is
> this true, and if so, does anyone know of any hard data as to how it
> affects it, or maybe links to documentation?
>
> I have Googled this for the past half hour or so and amazingly can find
> nothing on the matter, so either I am searching all the wrong keywords
> or this is not an issue. Thanks in advance.
>
> Marcus
>[/color]

First of all which OS - as it can make a difference? Anytime you add
encryption, there is always a performance penalty. But even with that penalty,
most users won'teven notice it. Do you know what your anticipated workload
looks like, have you been able to benchmark the number of users hitting the
front page?

--
Michael Austin.
Consultant - Available.
Donations welcomed. Http://www.firstdbasource.com/donations.html
:)

Re: server question

Michael Austin wrote:
[color=blue]
> First of all which OS - as it can make a difference? Anytime you add
> encryption, there is always a performance penalty. But even with that
> penalty, most users won'teven notice it. Do you know what your
> anticipated workload looks like, have you been able to benchmark the
> number of users hitting the front page?
>[/color]


Michael:

The OS is Linux. We have been running some benchmarking tests on the
localhost, but on a very small scale... the eventual workload will be
much higher. As the site is not finished and released, we have not
benchmarked the # of users hitting the front page.

The way our service will be setup, each one of our clients will get
their own account, to which THEIR end users will log in and interact
with. So while I cannot give hard numbers now, it will vary directly
with how many accounts we are serving. Planning for the long term :-)
let's say we have 1,000 clients, each of which logs into the system 100
times a day, and whose end users also log in 100 times a day... that's
200,000 log-ins per day total. Would using SSL on all of these
adversely affect it to a great degree? There are very minimal graphics
used - almost all of the transfer is between the user and the database.

Thanks a bunch!

Re: server question

In article <mZVJc.1966$7L1 .1405@newssvr15 .news.prodigy.c om>, Marcus wrote:[color=blue]
> Quick question about using SSL... I am running PHP/MySQL/Apache, and
> currently am just using session variables to log users in. Obviously I
> would like to make this more secure, i.e. in conjunction with SSL,[/color]

What do you want to make more secure?
The part where the user logs in, or also the data transmitted with each
page request?

Almost every *large* site i know uses https to handle the submitted
values when a user logs in. And after that uses http to show the pages.

--
Tim Van Wassenhove <http://home.mysth.be/~timvw>

Re: server question

Tim Van Wassenhove wrote:
[color=blue]
> What do you want to make more secure?
> The part where the user logs in, or also the data transmitted with each
> page request?
>
> Almost every *large* site i know uses https to handle the submitted
> values when a user logs in. And after that uses http to show the pages.
>[/color]

Tim:

From my understanding, if someone simply listens over the network and
steals a session, he/she then has full access to that user's
information. Since I am using session var's to keep track of things,
would using https first and then http be vulnerable?

Re: server question

Marcus wrote:
[color=blue]
> Tim Van Wassenhove wrote:
>[color=green]
>> What do you want to make more secure? The part where the user logs in,
>> or also the data transmitted with each
>> page request?
>>
>> Almost every *large* site i know uses https to handle the submitted
>> values when a user logs in. And after that uses http to show the pages.
>>[/color]
>
> Tim:
>
> From my understanding, if someone simply listens over the network and
> steals a session, he/she then has full access to that user's
> information. Since I am using session var's to keep track of things,
> would using https first and then http be vulnerable?
>[/color]

I'd guess it'd become vulnerable seeing as how the session would still
be in use.. I thought the secure mode during login was only used to
keep your password in cleartext safe from prying eyes..

Re: server question

"Marcus" <JumpMan222@aol .com> wrote in message
news:f%YJc.3749 9$eH1.17959389@ newssvr28.news. prodigy.com...[color=blue]
> Tim Van Wassenhove wrote:
>[color=green]
> > What do you want to make more secure?
> > The part where the user logs in, or also the data transmitted with each
> > page request?
> >
> > Almost every *large* site i know uses https to handle the submitted
> > values when a user logs in. And after that uses http to show the pages.
> >[/color]
>
> Tim:
>
> From my understanding, if someone simply listens over the network and
> steals a session, he/she then has full access to that user's
> information. Since I am using session var's to keep track of things,
> would using https first and then http be vulnerable?[/color]

Here're some numbers I found on the web:

"In our tests of the two and four Xeon DP processors, we achieved 32 SSL
transaction/sec with two processors, and 54 SSL transaction/sec with four
processors. In the tests with two, four, six and eight Xeon MP processors,
we achieved SSL rates of 16, 35, 50 and 70 transactions per second,
respectively. The DP performance is slightly higher than the MP performance
because the DP processors run at 2.4GHz and the MP processors run at
1.6GHz."

Large commercial sites typically use hardware SSL accelerators to augment
the web server.

You're right about the session id yielding full access to the system. If you
store the session id in a secure cookie, then it wouldn't be sent when the
browser is communicating in HTTP.