SlideShare a Scribd company logo

Maximizing Performance with SPDY and SSL

Download as PPTX, PDF
Zoompf
Zoompf

This document discusses optimizing performance when using SPDY and SSL. It describes how SPDY works by encapsulating HTTP requests within a single encrypted SSL connection. It focuses on setting up a valid SSL connection that supports SPDY and optimizing SSL handshakes, certificates, and encryption to improve performance. Specific techniques discussed include resuming SSL sessions, avoiding delays from certificate validation, using appropriate encryption algorithms and keys, and ensuring all traffic is redirected to HTTPS. Tools for analyzing SSL/SPDY configuration like SSL Labs and SPDYCheck are also mentioned.

1 of 49
Maximizing Performance with SPDY & SSL Billy Hoffman billy@zoompf.com @zoompf
What is SPDY?
Massive Browser Support
Massive Server Support
Cast of Characters • TCP • HTTP • SSL • X.509 Certificate • Cryptography (asymmetric & symmetric) • SPDY
HTTP/HTTPS
HTTP/SPDY/SSL Sandwich • SPDY encapsulates HTTP requests – Single Multiplexed stream • Transmits contents over SSL channel
Today’s Focus • Setting the Stage for SPDY – Can speak SSL with a server – Can create a valid SSL connection – Client and Server agree to use SPDY • Optimizing SPDY – Optimizing SSL – Optimizing SPDY – Avoiding optimizations that hurt SPDY • Tools to help
SETTING THE STAGE FOR SPDY
SSL Connectivity • Hostname resolves • IP is reachable • Web server is listening on SSL port • Web server understands SSL • Web server knows which site you want – Shared Hosting and SNI
Listener on 443 is speaking SSL?
Creating a Valid SSL connection • Agreement on crypto algorithms • X.509 certificate is valid
X.509 Cert: Correct Domain?
X.509 Cert: Valid Time Period?
X.509 Cert: Is it Trusted?
X.509 Cert: Is it Trusted? • Do I trust the issuer? – If not, was it signed by someone I trust? • Has it been revoked? – CRL lists – Online Certificate Status Protocol (OCSP)
Agreeing to Use SPDY • Client tells server it supports SPDY • Server tells client it supports SPDY • Client sends SPDY over SSL • Else, falls back to HTTP over SSL
SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
Announcing SPDY support in the SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en + Ext:13172/A LPN + NPN/ALPN + Ext:13172/ALPN
ClientHello with Extension 13172
ServerHello with NPN
Review: Speaking SPDY • Client resolves and connects to SSL port • Client announces SPDY support inside ClientHello • Server announces SPDY support in ServerHello • Client validates X.509 cert, finalized SSL connection • SPDY conversation happens
OPTIMIZING SSL/SPDY
The SSL Tarpits • SSL handshake requires 2 round trips • Certificates can be large • Certificates need to be validated • Keys can be too large • Algorithms can be slow
The SSL Handshake is Costly! Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
Resume SSL Session • Avoid regenerating keys • Avoid unneeded trips • 2 methods Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
• Both sides keep state/cache • Reuse based on id • Widely supported Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en sessionid: 3a8a… Big cache of all ids given out, and associated keys/ciphers Session Identifiers
• Client stores “Magic Ticket” • RFC 5077, optional • No IIS support Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en Encrypted summary of keys/ciphers, signed by server Verifies summary is valid, uses values Session Tickets
SSL False Start
False Start: Not Gone • “The Failure of False Start” • Chrome still does it! – Desktop and mobile • Any server that supports NPN! (with forward secure) – Any server with SPDY support… – Or SSL + NPN, but only announces HTTP/1.1!
Minimize the Certificate Chain
OCSP Validation causes delays
OCSP Stapling • Good in theory, bad in practice • Browsers are moving away from OSCP
Oversized Asymmetric Keys • 1024 is fine • 2048 for banks • Anything more is overkill
Cipher Order/Choice Matters • RC4 is the best • Unless on a machine with AES- NI – Intel i7, Xeons, some AMD – Not most virtual machines!!! • First match wins http://zombe.es/post/4078724716
Is SSL really helping you? • SSL doesn’t “secure” your website – Prevents eavesdropping, tampering – Not XSS, CSRF, SQL Injection, Unpatched/out- of-date software, RCE, LFI, etc. • Consider: NULL-MD5, NULL-SHA • SSL with no encryption
“Does this really matter?” • Seriously? • 1024 more bytes in key? • 2 more kilobytes in the X.509 cert? • Accidently using AES-256? • Really?
“Does this really matter?”
SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https: – Add a cache-control header! • HTTP Strict Transport Security (HSTS) – Like the browser’s cache, but for protocol access. Make (semi) far future – Wide support (>90% of SPDY capable browsers)
Avoid These Optimizations • Domain Sharding – Hack to request multiplexing, not needed – Hurts SPDY by spreading requests out • JavaScript CDNs – These are a horrible blight on the web! – http://statichtml.com/2011/google-ajax- libraries-caching.html – https://github.com/h5bp/html5- boilerplate/pull/1327
TOOLS
SSL Labs
SPDYCheck.org
Now on Github, GPL licensed!
SSL/SPDY Optimization Check List • Website responds over SSL/443 • Website has NPN extension (even without SPDY for False Start) • X.509 certificate is valid • X.509 chain is short • SSL Asymmetric keys are <= 2048 • Cipher is RC4 (or AES-128 if supports dedicated instructions)
SSL/SPDY Optimization Check List • SSL session resumption is enabled (both identifiers and tickets) • No SSL compression • Website is using latest version of SPDY • HTTP permanently (301) redirects to HTTPS (including cache header) • HTTPS sends HTTP Strict Transport Security header
Great Resources • Ivan Ristic (blog.ivanristic.com) • Adam Langley (www.imperialviolet.org) • Mark Nottingham (www.mnot.net/blog/) • Qualys SSL Labs (ssllabs.com) • SPDYCheck (spdycheck.org)
Free Performance Assessment zoompf.com/free
Maximizing Performance with SPDY & SSL Billy Hoffman billy@zoompf.com @zoompf

More Related Content

What's hot

Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014
Cloudflare
 
Varnish high availability
Varnish high availabilityVarnish high availability
Varnish high availability
Varnish Software
 
Altitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation WorkshopAltitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation Workshop
Fastly
 
Secure Web hosting provider - KTCHost
Secure Web hosting provider - KTCHostSecure Web hosting provider - KTCHost
Secure Web hosting provider - KTCHost
KTC Host
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transition
seanwalbran
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
Cloudflare
 
Introduce warden
Introduce wardenIntroduce warden
Introduce warden
Hieu Nguyen Trung
 
How Varnish & MongoDB Scale Business Insider
How Varnish & MongoDB Scale Business InsiderHow Varnish & MongoDB Scale Business Insider
How Varnish & MongoDB Scale Business Insider
Pax Dickinson
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
Anna Morrison
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & Acceleration
NGINX, Inc.
 
What is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWhat is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress Hosting
WPSFO Meetup Group
 
20180711 Metamask
20180711 Metamask 20180711 Metamask
20180711 Metamask
Hu Kenneth
 
20180714 workshop - Ethereum decentralized application with truffle framework
20180714 workshop - Ethereum decentralized application with truffle framework20180714 workshop - Ethereum decentralized application with truffle framework
20180714 workshop - Ethereum decentralized application with truffle framework
Hu Kenneth
 
Flawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX PlusFlawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX Plus
Peter Guagenti
 
Intro to WebSockets
Intro to WebSocketsIntro to WebSockets
Intro to WebSockets
Gaurav Oberoi
 
Setting Up a WordPress Development Environment
Setting Up a WordPress Development EnvironmentSetting Up a WordPress Development Environment
Setting Up a WordPress Development Environment
Gregory Young
 
Robust WordPress Installation using L2MP Stack
Robust WordPress Installation using L2MP StackRobust WordPress Installation using L2MP Stack
Robust WordPress Installation using L2MP Stack
Alex Bertens
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without Parachute
Cloudflare
 

What's hot (19)

Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014
 
Varnish high availability
Varnish high availabilityVarnish high availability
Varnish high availability
 
Altitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation WorkshopAltitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation Workshop
 
Secure Web hosting provider - KTCHost
Secure Web hosting provider - KTCHostSecure Web hosting provider - KTCHost
Secure Web hosting provider - KTCHost
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transition
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
Introduce warden
Introduce wardenIntroduce warden
Introduce warden
 
How Varnish & MongoDB Scale Business Insider
How Varnish & MongoDB Scale Business InsiderHow Varnish & MongoDB Scale Business Insider
How Varnish & MongoDB Scale Business Insider
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & Acceleration
 
What is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWhat is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress Hosting
 
20180711 Metamask
20180711 Metamask 20180711 Metamask
20180711 Metamask
 
20180714 workshop - Ethereum decentralized application with truffle framework
20180714 workshop - Ethereum decentralized application with truffle framework20180714 workshop - Ethereum decentralized application with truffle framework
20180714 workshop - Ethereum decentralized application with truffle framework
 
Flawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX PlusFlawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX Plus
 
Intro to WebSockets
Intro to WebSocketsIntro to WebSockets
Intro to WebSockets
 
Setting Up a WordPress Development Environment
Setting Up a WordPress Development EnvironmentSetting Up a WordPress Development Environment
Setting Up a WordPress Development Environment
 
Robust WordPress Installation using L2MP Stack
Robust WordPress Installation using L2MP StackRobust WordPress Installation using L2MP Stack
Robust WordPress Installation using L2MP Stack
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without Parachute
 

Similar to Maximizing Performance with SPDY and SSL

HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016
Jason Stangroome
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
Wolfgang Kandek
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
whj76337
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
Markus Schlichting
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
Gökhan Şengün
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
Jackio Kwok
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
Amazon Web Services
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Ontico
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLS
Qrator Labs
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
Wilco Alsemgeest
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needles
inaz2
 
Adopting Modern SSL / TLS
Adopting Modern SSL / TLSAdopting Modern SSL / TLS
Adopting Modern SSL / TLS
Avi Networks
 
SPDY and HTTP/2
SPDY and HTTP/2SPDY and HTTP/2
SPDY and HTTP/2
Fabian Frank
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
Payara
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
Sunil Kumar
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 

Similar to Maximizing Performance with SPDY and SSL (20)

HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLS
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needles
 
Adopting Modern SSL / TLS
Adopting Modern SSL / TLSAdopting Modern SSL / TLS
Adopting Modern SSL / TLS
 
SPDY and HTTP/2
SPDY and HTTP/2SPDY and HTTP/2
SPDY and HTTP/2
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 

Recently uploaded

20240702 Présentation Plateforme GenAI.pdf
20240702 Présentation Plateforme GenAI.pdf20240702 Présentation Plateforme GenAI.pdf
20240702 Présentation Plateforme GenAI.pdf
Sally Laouacheria
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
ArgaBisma
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
BookNet Canada
 
INDIAN AIR FORCE FIGHTER PLANES LIST.pdf
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfINDIAN AIR FORCE FIGHTER PLANES LIST.pdf
INDIAN AIR FORCE FIGHTER PLANES LIST.pdf
jackson110191
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
What's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptxWhat's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptx
Stephanie Beckett
 
What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024
Stephanie Beckett
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Bert Blevins
 
20240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 202420240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 2024
Matthew Sinclair
 
Manual | Product | Research Presentation
Manual | Product | Research PresentationManual | Product | Research Presentation
Manual | Product | Research Presentation
welrejdoall
 
Measuring the Impact of Network Latency at Twitter
Measuring the Impact of Network Latency at TwitterMeasuring the Impact of Network Latency at Twitter
Measuring the Impact of Network Latency at Twitter
ScyllaDB
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
Vijayananda Mohire
 
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions
 
The Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU CampusesThe Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU Campuses
Larry Smarr
 
UiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs ConferenceUiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs Conference
UiPathCommunity
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
Lidia A.
 
7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
Enterprise Wired
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 

Recently uploaded (20)

20240702 Présentation Plateforme GenAI.pdf
20240702 Présentation Plateforme GenAI.pdf20240702 Présentation Plateforme GenAI.pdf
20240702 Présentation Plateforme GenAI.pdf
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
 
INDIAN AIR FORCE FIGHTER PLANES LIST.pdf
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfINDIAN AIR FORCE FIGHTER PLANES LIST.pdf
INDIAN AIR FORCE FIGHTER PLANES LIST.pdf
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
What's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptxWhat's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptx
 
What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
 
20240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 202420240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 2024
 
Manual | Product | Research Presentation
Manual | Product | Research PresentationManual | Product | Research Presentation
Manual | Product | Research Presentation
 
Measuring the Impact of Network Latency at Twitter
Measuring the Impact of Network Latency at TwitterMeasuring the Impact of Network Latency at Twitter
Measuring the Impact of Network Latency at Twitter
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
 
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
 
The Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU CampusesThe Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU Campuses
 
UiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs ConferenceUiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs Conference
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
 
7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 

Maximizing Performance with SPDY and SSL

  • 1. Maximizing Performance with SPDY & SSL Billy Hoffman billy@zoompf.com @zoompf
  • 5. Cast of Characters • TCP • HTTP • SSL • X.509 Certificate • Cryptography (asymmetric & symmetric) • SPDY
  • 7. HTTP/SPDY/SSL Sandwich • SPDY encapsulates HTTP requests – Single Multiplexed stream • Transmits contents over SSL channel
  • 8. Today’s Focus • Setting the Stage for SPDY – Can speak SSL with a server – Can create a valid SSL connection – Client and Server agree to use SPDY • Optimizing SPDY – Optimizing SSL – Optimizing SPDY – Avoiding optimizations that hurt SPDY • Tools to help
  • 9. SETTING THE STAGE FOR SPDY
  • 10. SSL Connectivity • Hostname resolves • IP is reachable • Web server is listening on SSL port • Web server understands SSL • Web server knows which site you want – Shared Hosting and SNI
  • 11. Listener on 443 is speaking SSL?
  • 12. Creating a Valid SSL connection • Agreement on crypto algorithms • X.509 certificate is valid
  • 14. X.509 Cert: Valid Time Period?
  • 15. X.509 Cert: Is it Trusted?
  • 16. X.509 Cert: Is it Trusted? • Do I trust the issuer? – If not, was it signed by someone I trust? • Has it been revoked? – CRL lists – Online Certificate Status Protocol (OCSP)
  • 17. Agreeing to Use SPDY • Client tells server it supports SPDY • Server tells client it supports SPDY • Client sends SPDY over SSL • Else, falls back to HTTP over SSL
  • 18. SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 19. Announcing SPDY support in the SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en + Ext:13172/A LPN + NPN/ALPN + Ext:13172/ALPN
  • 22. Review: Speaking SPDY • Client resolves and connects to SSL port • Client announces SPDY support inside ClientHello • Server announces SPDY support in ServerHello • Client validates X.509 cert, finalized SSL connection • SPDY conversation happens
  • 24. The SSL Tarpits • SSL handshake requires 2 round trips • Certificates can be large • Certificates need to be validated • Keys can be too large • Algorithms can be slow
  • 25. The SSL Handshake is Costly! Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 26. Resume SSL Session • Avoid regenerating keys • Avoid unneeded trips • 2 methods Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 27. • Both sides keep state/cache • Reuse based on id • Widely supported Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en sessionid: 3a8a… Big cache of all ids given out, and associated keys/ciphers Session Identifiers
  • 28. • Client stores “Magic Ticket” • RFC 5077, optional • No IIS support Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en Encrypted summary of keys/ciphers, signed by server Verifies summary is valid, uses values Session Tickets
  • 30. False Start: Not Gone • “The Failure of False Start” • Chrome still does it! – Desktop and mobile • Any server that supports NPN! (with forward secure) – Any server with SPDY support… – Or SSL + NPN, but only announces HTTP/1.1!
  • 33. OCSP Stapling • Good in theory, bad in practice • Browsers are moving away from OSCP
  • 34. Oversized Asymmetric Keys • 1024 is fine • 2048 for banks • Anything more is overkill
  • 35. Cipher Order/Choice Matters • RC4 is the best • Unless on a machine with AES- NI – Intel i7, Xeons, some AMD – Not most virtual machines!!! • First match wins http://zombe.es/post/4078724716
  • 36. Is SSL really helping you? • SSL doesn’t “secure” your website – Prevents eavesdropping, tampering – Not XSS, CSRF, SQL Injection, Unpatched/out- of-date software, RCE, LFI, etc. • Consider: NULL-MD5, NULL-SHA • SSL with no encryption
  • 37. “Does this really matter?” • Seriously? • 1024 more bytes in key? • 2 more kilobytes in the X.509 cert? • Accidently using AES-256? • Really?
  • 38. “Does this really matter?”
  • 39. SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https: – Add a cache-control header! • HTTP Strict Transport Security (HSTS) – Like the browser’s cache, but for protocol access. Make (semi) far future – Wide support (>90% of SPDY capable browsers)
  • 40. Avoid These Optimizations • Domain Sharding – Hack to request multiplexing, not needed – Hurts SPDY by spreading requests out • JavaScript CDNs – These are a horrible blight on the web! – http://statichtml.com/2011/google-ajax- libraries-caching.html – https://github.com/h5bp/html5- boilerplate/pull/1327
  • 41. TOOLS
  • 44. Now on Github, GPL licensed!
  • 45. SSL/SPDY Optimization Check List • Website responds over SSL/443 • Website has NPN extension (even without SPDY for False Start) • X.509 certificate is valid • X.509 chain is short • SSL Asymmetric keys are <= 2048 • Cipher is RC4 (or AES-128 if supports dedicated instructions)
  • 46. SSL/SPDY Optimization Check List • SSL session resumption is enabled (both identifiers and tickets) • No SSL compression • Website is using latest version of SPDY • HTTP permanently (301) redirects to HTTPS (including cache header) • HTTPS sends HTTP Strict Transport Security header
  • 47. Great Resources • Ivan Ristic (blog.ivanristic.com) • Adam Langley (www.imperialviolet.org) • Mark Nottingham (www.mnot.net/blog/) • Qualys SSL Labs (ssllabs.com) • SPDYCheck (spdycheck.org)
  • 49. Maximizing Performance with SPDY & SSL Billy Hoffman billy@zoompf.com @zoompf