On Mon, Nov 4, 2013 at 1:45 PM, Ethan Gruber <[log in to unmask]> wrote: > NSA broke it already SSL was born into lossage. After Netscape decided to go it alone, the first version they came back with used RC4... with the same symmetric key in both directions... At EIT I did a Proof of Concept attack using the initial lack of binding between DNS name and X.500 certificate (this was funded on the DARPA MADE project grant). All this was done at a time when the guestimate of a ~1 Public Key Operation per second. On a late 2011 macbook pro ( Intel(R) Core(TM) i7-2760QM CPU @ 2.40GHz ) openssl speed -multi 8 rsa2048 gives a throughput of 3124.2 signatures.second, and 97561.0 verifications. For Symmetric AES, the same hardware gives the throughput listed below. The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128 cbc 427093.88k 451648.30k 460755.99k 462780.42k 459068.76k aes-192 cbc 352143.17k 368399.83k 370499.48k 371674.11k 371816.40k aes-256 cbc 299224.85k 309780.08k 301863.34k 286403.36k 286261.25k In other words: the cpu cost ain't not thang. There is an recurrent cost for a server certificate, but I'm sure that this could be obtained from the usual suspects (Mellon, OCLC, Kilgour, or Stanford). Somebody has to responsible for renewing certificates before they expire (same sort of work as making sure the DNS domains don't expire). Simon