Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/mathaetaes/statuses/111583127079982630">Mathaetaes (mathaetaes@infosec.exchange)'s status on Saturday, 16-Dec-2023 00:21:57 JST</a><a href="https://infosec.exchange/@mathaetaes" title="mathaetaes@infosec.exchange"><img src="https://gnusocial.jp/avatar/205893-48-20231215152157.webp" width="48" height="48" alt="Mathaetaes" style="position: absolute; left: 0; top: 0;">Mathaetaes</a><div><a href="https://bikeshed.party/objects/a7dc2f73-57ae-489d-9b55-6e2fa539c037" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/20615" title="randomdamage@infosec.exchange">Daniel Taylor</a></li></ul></div></section><article><p><a href="https://bikeshed.party/users/feld">@feld</a> <a href="https://infosec.exchange/@RandomDamage">@RandomDamage</a> weak ciphers do not necessarily mean computationally cheap ciphers… but that’s less relevant.</p><p>Way back when I used to work at an ISP, we’d have people with colo servers running on single-core pentium chips. Most connections were high-latency, low bandwidth 56K dualup. If a normal page took 3-10 seconds to load due to slow bandwidth, the same page over  SSL might take 15-20 due to the number of extra round trips required to negotiate the session over a 100-300ms connection.  Add a 333 mhz clock on the server (and a 100-200mhz clock on the client) and you did get a noticeable performance hit.</p><p>It was enough that people who needed ssl would buy dedicated SSL-offload hardware just to handle the compute, and hope the rtt was low enough that they didn’t lose customers.</p><p>So yeah, certificate costs were also stupid high, but the compute and bandwidth impact of SSL back in the day was not trivial, and hindered adoption on its own.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2454999#notice-4861888">In conversation</a><time datetime="2023-12-16T00:21:57+09:00" title="Saturday, 16-Dec-2023 00:21:57 JST">about a year ago</time> <span>from <span><a href="https://infosec.exchange/@mathaetaes/111583127079982630" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@mathaetaes/111583127079982630">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: hit.it</div><h5><a href="https://hit.it/">Home</a></h5><div> from <span>andrea</span></div></header><div></div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/1969493">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Mathaetaes (mathaetaes@infosec.exchange)'s status on Saturday, 16-Dec-2023 00:21:57 JSTMathaetaes
in reply to
- feld
- Daniel Taylor
@feld @RandomDamage weak ciphers do not necessarily mean computationally cheap ciphers… but that’s less relevant.
Way back when I used to work at an ISP, we’d have people with colo servers running on single-core pentium chips. Most connections were high-latency, low bandwidth 56K dualup. If a normal page took 3-10 seconds to load due to slow bandwidth, the same page over SSL might take 15-20 due to the number of extra round trips required to negotiate the session over a 100-300ms connection. Add a 333 mhz clock on the server (and a 100-200mhz clock on the client) and you did get a noticeable performance hit.
It was enough that people who needed ssl would buy dedicated SSL-offload hardware just to handle the compute, and hope the rtt was low enough that they didn’t lose customers.
So yeah, certificate costs were also stupid high, but the compute and bandwidth impact of SSL back in the day was not trivial, and hindered adoption on its own.
In conversationabout a year ago from infosec.exchangepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: hit.it
  Home
  from andrea
2. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice