[Privoxy-users] Elliptic Curve Keys for HTTPS Inspection, Code Review Request

[Steven Smith]

On our LAN we observe that Privoxy with HTTPS Inspection slows browsing down considerably, especially on complex web pages. This affects performance enough to cause users to want to turn off the proxy. I see using a process monitor that privoxy is using a many seconds of multi-core server resources to accomplish HTTPS Inspection for complex web pages.

One factor in this may be Privoxy’s default use of 2048-bit RSA keys. In contrast, elliptic curves provide much greater efficiency and security per key length. I hypothesize that could have a noticeable impact on Privoxy performance, which must generate and encrypt/decrypt with lots of certificates on-the-fly.

I implemented EC keys (P-384 curve) for Privoxy to test for possible speedup, and although I haven't done comprehensive benchmarks, anecdotally I observe that performance is roughly twice as fast on a 6-core i7 server. This appears to be more-or-less consistent with published comparisons of RSA vs. ECC encryption times, with the caveat that there is no detailed timing analysis here that accounts for RSA decryption from the destination server, rule processing and filtering, and so forth.

I've added EC keys as an optional variant to the MacPorts privoxy port. I’d appreciate any comments about the patches used to implement EC in this PR.

I’d also suggest consideration and discussion of providing EC keys as an optional variant to Privoxy.

Please see:

https://github.com/macports/macports-ports/pull/13054
https://sourceforge.net/p/ijbswa/bugs/933/