Firesheep, SSL and economics

If you haven’t heard of Firesheep yet, I’ll let you go read those details for a bit. When you come back, I want to talk about why SSL is generally not used in these situations – the title gives a hint – it’s all about economics.

SSL is still quite expensive in terms of computing power. Sure, not for your computer when you’re browsing, but for a server which is handling thousands if not millions of requests per second? That’s a lot of the CPU (and RAM) being dedicated to just SSL, not counting whatever service the server is providing. There are hardware SSL accelerators, but they are also fairly limited: this one claims up to 14,000 transactions per second. What is twitter’s estimated usage? I’m not sure, I can’t find out, but with an estimated 14 million users in 2009, I’m guessing that it’s pretty high.

Now, imagine computers handling over 14 million HTTPS transactions (even within one day) – that’s a lot of transactions. That’s a lot of transactions even without SSL, but SSL brings in computational and bandwidth overhead, and those are things that these companies are paying for. Bandwidth is generally charged on a fixed fee for a certain amount, and then a per-bit rate after that.

By reducing the number of SSL sessions, they’re reducing bandwidth – and thus costs. They are also reducing the computational power needed for each of those sessions.

Should they offer SSL? Of course! Should people take advantage of it – I think so. Should they be villainized for thinking about their bottom line? Not more than any other company. But when you’ve got a user base basically paying nothing and wanting them to spend significant amounts of money on infrastructure costs, it’s not exactly fair.