Saturday, 13 April 2013

The problem with SSL is not performance, its management

In a chat with Michael Hidalgo about SSL, he mentioned the posts Overclocking SSL (from Google), Dispelling the New SSL Myth (from F5) and Still not computationally expensive (Google guy responding to F5).

I have written a couple post on SSL:
And if you read them you will notice that from my point of view, the issue with SSL is not really a performance issue, but a management/workflow one.

Namely the fact that:
  • SSL requires Development and Infrastructure to work together,
  • It adds more complexity to the deployment (note how the Azure team is taking a long time to add support for it)
  • It is still a pain to add SSL support to existing web servers
  • Management of keys is hard
  • It is another source of bugs (for an application).
  • There are a lot of people (and organizations) that really don’t want SSL-everywhere to happen
That said, I agree that the time for SSL-Everywhere has come, and we really need to do a better job at protecting our browsing data