Chapter 8. Security
Web site security usually comes at the cost of performance, but not always. Some security changes can also increase performance. For example, keeping a site simple and avoiding Java and JavaScript means fewer points of weakness. Also, avoiding Microsoft’s IIS web server will likely improve performance while eliminating vulnerability to a large number of viruses that can infect only IIS.
In this chapter, I cover a few security points only as they relate to performance. If you are looking for pure security information, try Practical Unix and Internet Security, by Simpson Garfinkel and Gene Spafford (O’Reilly Media).
HTTPS and SSL
Secure HTTP (HTTPS) uses ordinary HTTP over the Secure Socket Layer (SSL) protocol on port 443 by default. SSL encrypts all traffic, so you can be confident that your content will not be intelligible to anyone snooping Internet packets. In fact, even the HTTP headers and all images will be encrypted. You might think that you can save some server CPU power by not encrypting images (that is, putting links to a non-SSL image server). However, browsers do not allow unencrypted images on SSL protected pages.
HTTPS uses public-key encryption just long enough to exchange keys, and then it switches to private-key encryption for better performance. The private keys will be cached by both the client and server so that additional connections to the same site will be faster, at least until the entry expires from the connection cache. Netscape ...
Get Web Performance Tuning, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.