On Wed, Mar 14, 2012 at 06:19:07AM -0500, Ian Clarke wrote: > On Fri, Mar 9, 2012 at 3:37 PM, Evan Daniel <eva...@gmail.com> wrote: > > > I'm in favor of https only. The only real arguments against it are > > probably server cpu load. I assume that given our traffic levels, > > that's not likely to be an issue? > > > Actually it might. While we normally hover around 2,500 visits per day, > which the server should be able to handle quite easily, we do occasionally > get linked from high-traffic websites which puts a lot more strain on the > server. > > It's important that the server doesn't go down on these occasions as they > are an important way to acquire new users, donors, and developers. > > Ian.
That might have been a concern a decade ago, it's not anymore... back then we had a dynamic website, nowadays everything is static and (much) faster. Talking about SSL: some of the SSL ciphers are quite fast... and even accelerated in hardware! http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Frprf_ssl.html http://zombe.es/post/4078724716/openssl-cipher-selection I've tweaked what we use on osprey already: RC4-SHA as a first choice, AES-128-SHA the fallback... and the other ciphers then. When we will renew the SSL cert, I will ensure that we use a smaller keysize too; 4096 bits RSA is too big, even by my paranoid standards. We can't do ECC just yet (the openssl version we use doesn't support it)... and the VM we rent doesn't export AESNI's CPU flags. Florent _______________________________________________ Devl mailing list Devl@freenetproject.org http://freenetproject.org/cgi-bin/mailman/listinfo/devl
