Out of curiosity, does anyone know how much traffic I'd have to hit before my "$20 SSL certificate" started being a chokepoint and bottleneck? If I were able to hit stackoverflow levels of traffic, I'm sure I'd be able to figure out a way to afford it (although maybe even they haven't yet), but I'm curious at lower levels of traffic if I should still worry.
The price of the certificate is irrelevant. The issue is that encryption and decryption eats CPU cycles, so running all traffic via HTTPS on a busy site is going to require significantly more processing power.
"In order to do this we had to deploy no additional machines and no special hardware. On our production front-end machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that."
I realize that. I'm asking how much traffic can be handled by a simple single server before it starts dying due to SSL CPU cycles.
I do realize now that my question is too simplistic and obviously varies according to the nature of the application, server config, etc. So won't expect any answers for it. :)
Definitely a question I can't answer. Although these days SSL is rarely implemented on each individual server. Instead, load balancers handle SSL and traffic is passed unencrypted to the backend servers doing the real work (presumably at this point, you're on a secure network). Many hardware load balancers even have specialized chips for handling SSL.
Just a guess but if you are running your site on a single server you're going to hit other bottlenecks in things such as your application code or database, your http server, or disk contention, or RAM starvation, before SSL encryption becomes the overriding one.
Out of curiosity, does anyone know how much traffic I'd have to hit before my "$20 SSL certificate" started being a chokepoint and bottleneck? If I were able to hit stackoverflow levels of traffic, I'm sure I'd be able to figure out a way to afford it (although maybe even they haven't yet), but I'm curious at lower levels of traffic if I should still worry.