On Mon, Oct 21, 2002 at 03:37:33PM +0100, David Howe wrote:
at Monday, October 21, 2002 3:14 PM, Trei, Peter <ptrei@rsasecurity.com> was seen to say:
I'd be nervous about a availability with centralized servers, even if they are "triple redundant with two sites". DDOS attacks, infrastructure (backhoe) attacks, etc, could all wreck havoc. Indeed so, yes. I suspect (if it ever takes off) that they will have to scale their server setup in pace with the demand, but to be honest I think 600/sec is probably quite a high load for actual payments - we aren't talking logins or web queries, but actual real-money-payment requests.
Looking at their web site, they seem pretty generic about what it's for, but I did not see any mention of using it for payments. So I assume it's for logins. They do say that their servers are "benchmarked at 300 transactions/sec". That's pretty darn slow for single des. There would have to be an authenticated and probably encrypted session between the server accepting the login (or the merchant if it really does payments) and the back end. But even using SSL/TLS, which would be more than is required but an easy component to plug in, they ought to be able to get at least a true 1000 sessions/sec using one of the current SSL accelerators out there. Maybe they have a bunch of slow database lookups? Perhaps there is a long RTT for the check against the CIA blacklist? If it is for logins, how many sites would be willing to let someone else know when their employees log in? That could be useful competitive intelligence. Eric