SlideShare a Scribd company logo
Maximizing Performance
with SPDY & SSL
(June 2014)
Billy Hoffman
billy@zoompf.com @zoompf
What Is SPDY?
• “Speedy”
• Next Gen Web Protocol
– Created by Google in 2009
– Basis of HTTP/2 spec
• Designed for speed
• Familiar Request/Response model
– Largely abstracted away
– Much improved plumbing
– Extra features
Massive Browser Support
Massive Server Support
Cast of Characters
• TCP
• HTTP
• SSL
• X.509 Certificate
• Cryptography (asymmetric & symmetric)
• SPDY
HTTP/HTTPS
HTTP/SPDY/SSL Sandwich
• SPDY encapsulates HTTP requests
– Single Multiplexed stream
• Transmits contents over SSL channel
Mapping To Frames
Breaking To Streams
Multiplexing Streams
HTTP Pipelining Revisited
Additional Features
• Server Push!
• Header Compression
• Body Compression
• Better use of TCP connections
• Better upgrade approach
Today’s Focus
• Setting the Stage for SPDY
– Can speak SSL with a server
– Can create a valid SSL connection
– Client and Server agree to use SPDY
• Optimizing SPDY
– Optimizing SSL
– Optimizing SPDY
– Avoiding optimizations that hurt SPDY
• Tools to help
SETTING THE STAGE FOR
SPDY
SSL Connectivity
• Hostname resolves
• IP is reachable
• Web server is listening on SSL port
• Web server understands SSL
• Web server knows which site you want
– Shared Hosting and SNI
Listener on 443 is speaking SSL?
Creating a Valid SSL connection
• Agreement on
crypto algorithms
• X.509 certificate is
valid
X.509 Cert: Correct Domain?
X.509 Cert: Valid Time Period?
X.509 Cert: Is it Trusted?
X.509 Cert: Is it Trusted?
• Do I trust the issuer?
– If not, was it signed by someone I trust?
• Has it been revoked?
– CRL lists
– Online Certificate Status Protocol (OCSP)
Agreeing to Use SPDY
• Client tells server it supports SPDY
• Server tells client it supports SPDY
• Client sends SPDY over SSL
• Else, falls back to HTTP over SSL
SSL Handshake
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en
Announcing SPDY support in the
SSL Handshake
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en
+
Ext:13172/A
LPN
+ NPN/ALPN
+
Ext:13172/ALPN
ClientHello with Extension 13172
ServerHello with NPN
Review: Speaking SPDY
• Client resolves and connects to SSL port
• Client announces SPDY support inside
ClientHello
• Server announces SPDY support in
ServerHello
• Client validates X.509 cert, finalized SSL
connection
• SPDY conversation happens
OPTIMIZING SSL/SPDY
The SSL Tarpits
• SSL handshake requires 2 round trips
• Certificates can be large
• Certificates need to be validated
• Keys can be too large
• Algorithms can be slow
• Revocation
The SSL Handshake is Costly!
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en
Resume SSL Session
• Avoid regenerating keys
• Avoid unneeded trips
• 2 methods
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en
• Both sides keep state/cache
• Reuse based on id
• Widely supported
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en
sessionid: 3a8a…
Big cache of
all ids given
out, and
associated
keys/ciphers
Session Identifiers
• Client stores “Magic Ticket”
• RFC 5077, optional
• No IIS support
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en
Encrypted summary of
keys/ciphers, signed by
server
Verifies
summary is
valid, uses
values
Session Tickets
SSL False Start
False Start: Not Gone
• “The Failure of False Start”
• Chrome still does it!
– Desktop and mobile
• Any server that supports NPN! (with
forward secure)
– Any server with SPDY support…
– Or SSL + NPN, but only announces HTTP/1.1!
Minimize the Certificate Chain
OCSP Validation causes delays
OCSP Stapling
• Good in theory, bad in practice
• Browsers are moving away from OSCP
Heartbleed Ruined The Dream
• OCSP doesn’t
scale
• DoS targets
• We can’t do this
well
Oversized Asymmetric Keys
• 1024 is fine
• 2048 for banks
• Anything more is
overkill
Cipher Order/Choice Matters
• RC4 is the best
• Unless on a
machine with AES-
NI
– Intel i7, Xeons,
some AMD
– Not most virtual
machines!!!
• First match wins
http://zombe.es/post/4078724716
Amazon EC2
• Partnered with Intel
• Stop using M1!
Is SSL really helping you?
• SSL doesn’t “secure” your website
– Prevents eavesdropping, tampering
– Not XSS, CSRF, SQL Injection, Unpatched/out-
of-date software, RCE, LFI, etc.
• Consider: NULL-MD5, NULL-SHA
• SSL with no encryption
“Does this really matter?”
• Seriously?
• 1024 more bytes in key?
• 2 more kilobytes in the X.509 cert?
• Accidently using AES-256?
• Really?
“Does this really matter?”
SPDY Optimization
• SPDY only works over SSL
• Ensure that all your traffic if over SSL
• HTTP 301 direct for http: to https:
– Add a cache-control header!
• HTTP Strict Transport Security (HSTS)
– Like the browser’s cache, but for protocol
access. Make (semi) far future
– Wide support (>90% of SPDY capable
browsers)
Avoid These Optimizations
• Domain Sharding
– Hack to request multiplexing, not needed
– Hurts SPDY by spreading requests out
• JavaScript CDNs
– These are a horrible blight on the web!
– http://statichtml.com/2011/google-ajax-
libraries-caching.html
– https://github.com/h5bp/html5-
boilerplate/pull/1327
TOOLS
SSL Labs
SPDYCheck.org
Now on Github, GPL licensed!
SSL/SPDY Optimization Check List
• Website responds over SSL/443
• Website has NPN extension (even without
SPDY for False Start)
• X.509 certificate is valid
• X.509 chain is short
• SSL Asymmetric keys are <= 2048
• Cipher is fast! (RC-4, AES-128 if supports
dedicated instructions)
SSL/SPDY Optimization Check List
• SSL session resumption is enabled (both
identifiers and tickets)
• No SSL compression
• Website is using latest version of SPDY
• HTTP permanently (301) redirects to
HTTPS (including cache header)
• HTTPS sends HTTP Strict Transport
Security header
Great Resources
• Ivan Ristic (blog.ivanristic.com)
• Adam Langley (www.imperialviolet.org)
• Mark Nottingham (www.mnot.net/blog/)
• Qualys SSL Labs (ssllabs.com)
• SPDYCheck (spdycheck.org)
Free Performance Assessment
zoompf.com/free
Maximizing Performance
with SPDY & SSL
Billy Hoffman
billy@zoompf.com @zoompf

More Related Content

What's hot

WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSWPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
Paul Schreiber
 
Benchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsBenchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and Results
NGINX, Inc.
 
Varnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developersVarnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developers
Carlos Abalde
 
Revisiting HTTP/2
Revisiting HTTP/2Revisiting HTTP/2
Revisiting HTTP/2
Fastly
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
OVHcloud
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
Deploy360 Programme (Internet Society)
 
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
Cloudflare
 
Content Access Control with Varnish Cache
Content Access Control with Varnish CacheContent Access Control with Varnish Cache
Content Access Control with Varnish Cache
Carlos Abalde
 
High Performance WordPress II
High Performance WordPress IIHigh Performance WordPress II
High Performance WordPress II
Barry Abrahamson
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
Anna Morrison
 
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
PHP Conference Argentina
 
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Grant Norwood
 
Russia vps
Russia vpsRussia vps
Russia vps
Manisha Rawat
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
Deploy360 Programme (Internet Society)
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transition
seanwalbran
 
Altitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkAltitude SF 2017: The power of the network
Altitude SF 2017: The power of the network
Fastly
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
Gabriella Davis
 
WordPress Hosting Survival Guide
WordPress Hosting Survival Guide WordPress Hosting Survival Guide
WordPress Hosting Survival Guide
WordCamp Sydney
 
SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012
Fabian Lange
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS Providers
Cloudflare
 

What's hot (20)

WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSWPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
 
Benchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsBenchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and Results
 
Varnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developersVarnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developers
 
Revisiting HTTP/2
Revisiting HTTP/2Revisiting HTTP/2
Revisiting HTTP/2
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
 
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
 
Content Access Control with Varnish Cache
Content Access Control with Varnish CacheContent Access Control with Varnish Cache
Content Access Control with Varnish Cache
 
High Performance WordPress II
High Performance WordPress IIHigh Performance WordPress II
High Performance WordPress II
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
 
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
 
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
 
Russia vps
Russia vpsRussia vps
Russia vps
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transition
 
Altitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkAltitude SF 2017: The power of the network
Altitude SF 2017: The power of the network
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
 
WordPress Hosting Survival Guide
WordPress Hosting Survival Guide WordPress Hosting Survival Guide
WordPress Hosting Survival Guide
 
SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS Providers
 

Similar to Maximizing SPDY and SSL Performance (June 2014)

SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0
Andreas Bjärlestam
 
SPDY
SPDYSPDY
HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016
Jason Stangroome
 
SPDY
SPDYSPDY
Next generation web protocols
Next generation web protocolsNext generation web protocols
Next generation web protocols
Daniel Austin
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Amazon Web Services
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
Tiago Mendo
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
Luis Grangeia
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?
CheapSSLsecurity
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
Gökhan Şengün
 
SPDY and HTTP/2
SPDY and HTTP/2SPDY and HTTP/2
SPDY and HTTP/2
Fabian Frank
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
guestb2ed5f
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works  (very briefly) How to use HTTPSHow the SSL/TLS protocol works  (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
whj76337
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
Markus Schlichting
 
curl and new technologies
curl and new technologiescurl and new technologies
curl and new technologies
Daniel Stenberg
 

Similar to Maximizing SPDY and SSL Performance (June 2014) (20)

SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0
 
SPDY
SPDYSPDY
SPDY
 
HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016
 
SPDY
SPDYSPDY
SPDY
 
Next generation web protocols
Next generation web protocolsNext generation web protocols
Next generation web protocols
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
 
SPDY and HTTP/2
SPDY and HTTP/2SPDY and HTTP/2
SPDY and HTTP/2
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
State of the Web
State of the WebState of the Web
State of the Web
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works  (very briefly) How to use HTTPSHow the SSL/TLS protocol works  (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
 
curl and new technologies
curl and new technologiescurl and new technologies
curl and new technologies
 

Recently uploaded

WhatsApp Tracker - Tracking WhatsApp to Boost Online Safety.pdf
WhatsApp Tracker -  Tracking WhatsApp to Boost Online Safety.pdfWhatsApp Tracker -  Tracking WhatsApp to Boost Online Safety.pdf
WhatsApp Tracker - Tracking WhatsApp to Boost Online Safety.pdf
onemonitarsoftware
 
NBFC Software: Optimize Your Non-Banking Financial Company
NBFC Software: Optimize Your Non-Banking Financial CompanyNBFC Software: Optimize Your Non-Banking Financial Company
NBFC Software: Optimize Your Non-Banking Financial Company
NBFC Softwares
 
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Asher Sterkin
 
Leading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptxLeading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptx
taskroupseo
 
Attendance Tracking From Paper To Digital
Attendance Tracking From Paper To DigitalAttendance Tracking From Paper To Digital
Attendance Tracking From Paper To Digital
Task Tracker
 
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptxAddressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
Sparity1
 
Folding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a seriesFolding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a series
Philip Schwarz
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdfAWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
karim wahed
 
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdfdachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
DNUG e.V.
 
Seamless PostgreSQL to Snowflake Data Transfer in 8 Simple Steps
Seamless PostgreSQL to Snowflake Data Transfer in 8 Simple StepsSeamless PostgreSQL to Snowflake Data Transfer in 8 Simple Steps
Seamless PostgreSQL to Snowflake Data Transfer in 8 Simple Steps
Estuary Flow
 
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that  works on a proven C.A.A.G. model.CViewSurvey Digitech Pvt Ltd that  works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
bhatinidhi2001
 
WEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service ProvidersWEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service Providers
Severalnines
 
ENISA Threat Landscape 2023 documentation
ENISA Threat Landscape 2023 documentationENISA Threat Landscape 2023 documentation
ENISA Threat Landscape 2023 documentation
sofiafernandezon
 
Intro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AIIntro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AI
Ortus Solutions, Corp
 
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
Roshan Dwivedi
 
ANSYS Mechanical APDL Introductory Tutorials.pdf
ANSYS Mechanical APDL Introductory Tutorials.pdfANSYS Mechanical APDL Introductory Tutorials.pdf
ANSYS Mechanical APDL Introductory Tutorials.pdf
sachin chaurasia
 
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
avufu
 
Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …
908dutch
 
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTIONBITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
ssuser2b426d1
 
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdfResponsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
Trackobit
 

Recently uploaded (20)

WhatsApp Tracker - Tracking WhatsApp to Boost Online Safety.pdf
WhatsApp Tracker -  Tracking WhatsApp to Boost Online Safety.pdfWhatsApp Tracker -  Tracking WhatsApp to Boost Online Safety.pdf
WhatsApp Tracker - Tracking WhatsApp to Boost Online Safety.pdf
 
NBFC Software: Optimize Your Non-Banking Financial Company
NBFC Software: Optimize Your Non-Banking Financial CompanyNBFC Software: Optimize Your Non-Banking Financial Company
NBFC Software: Optimize Your Non-Banking Financial Company
 
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
 
Leading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptxLeading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptx
 
Attendance Tracking From Paper To Digital
Attendance Tracking From Paper To DigitalAttendance Tracking From Paper To Digital
Attendance Tracking From Paper To Digital
 
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptxAddressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
 
Folding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a seriesFolding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a series
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdfAWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
 
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdfdachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
 
Seamless PostgreSQL to Snowflake Data Transfer in 8 Simple Steps
Seamless PostgreSQL to Snowflake Data Transfer in 8 Simple StepsSeamless PostgreSQL to Snowflake Data Transfer in 8 Simple Steps
Seamless PostgreSQL to Snowflake Data Transfer in 8 Simple Steps
 
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that  works on a proven C.A.A.G. model.CViewSurvey Digitech Pvt Ltd that  works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
 
WEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service ProvidersWEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service Providers
 
ENISA Threat Landscape 2023 documentation
ENISA Threat Landscape 2023 documentationENISA Threat Landscape 2023 documentation
ENISA Threat Landscape 2023 documentation
 
Intro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AIIntro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AI
 
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
 
ANSYS Mechanical APDL Introductory Tutorials.pdf
ANSYS Mechanical APDL Introductory Tutorials.pdfANSYS Mechanical APDL Introductory Tutorials.pdf
ANSYS Mechanical APDL Introductory Tutorials.pdf
 
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
 
Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …
 
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTIONBITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
 
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdfResponsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
 

Maximizing SPDY and SSL Performance (June 2014)

  • 1. Maximizing Performance with SPDY & SSL (June 2014) Billy Hoffman billy@zoompf.com @zoompf
  • 2. What Is SPDY? • “Speedy” • Next Gen Web Protocol – Created by Google in 2009 – Basis of HTTP/2 spec • Designed for speed • Familiar Request/Response model – Largely abstracted away – Much improved plumbing – Extra features
  • 5. Cast of Characters • TCP • HTTP • SSL • X.509 Certificate • Cryptography (asymmetric & symmetric) • SPDY
  • 7. HTTP/SPDY/SSL Sandwich • SPDY encapsulates HTTP requests – Single Multiplexed stream • Transmits contents over SSL channel
  • 12. Additional Features • Server Push! • Header Compression • Body Compression • Better use of TCP connections • Better upgrade approach
  • 13. Today’s Focus • Setting the Stage for SPDY – Can speak SSL with a server – Can create a valid SSL connection – Client and Server agree to use SPDY • Optimizing SPDY – Optimizing SSL – Optimizing SPDY – Avoiding optimizations that hurt SPDY • Tools to help
  • 14. SETTING THE STAGE FOR SPDY
  • 15. SSL Connectivity • Hostname resolves • IP is reachable • Web server is listening on SSL port • Web server understands SSL • Web server knows which site you want – Shared Hosting and SNI
  • 16. Listener on 443 is speaking SSL?
  • 17. Creating a Valid SSL connection • Agreement on crypto algorithms • X.509 certificate is valid
  • 19. X.509 Cert: Valid Time Period?
  • 20. X.509 Cert: Is it Trusted?
  • 21. X.509 Cert: Is it Trusted? • Do I trust the issuer? – If not, was it signed by someone I trust? • Has it been revoked? – CRL lists – Online Certificate Status Protocol (OCSP)
  • 22. Agreeing to Use SPDY • Client tells server it supports SPDY • Server tells client it supports SPDY • Client sends SPDY over SSL • Else, falls back to HTTP over SSL
  • 23. SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 24. Announcing SPDY support in the SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en + Ext:13172/A LPN + NPN/ALPN + Ext:13172/ALPN
  • 27. Review: Speaking SPDY • Client resolves and connects to SSL port • Client announces SPDY support inside ClientHello • Server announces SPDY support in ServerHello • Client validates X.509 cert, finalized SSL connection • SPDY conversation happens
  • 29. The SSL Tarpits • SSL handshake requires 2 round trips • Certificates can be large • Certificates need to be validated • Keys can be too large • Algorithms can be slow • Revocation
  • 30. The SSL Handshake is Costly! Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 31. Resume SSL Session • Avoid regenerating keys • Avoid unneeded trips • 2 methods Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 32. • Both sides keep state/cache • Reuse based on id • Widely supported Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en sessionid: 3a8a… Big cache of all ids given out, and associated keys/ciphers Session Identifiers
  • 33. • Client stores “Magic Ticket” • RFC 5077, optional • No IIS support Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en Encrypted summary of keys/ciphers, signed by server Verifies summary is valid, uses values Session Tickets
  • 35. False Start: Not Gone • “The Failure of False Start” • Chrome still does it! – Desktop and mobile • Any server that supports NPN! (with forward secure) – Any server with SPDY support… – Or SSL + NPN, but only announces HTTP/1.1!
  • 38. OCSP Stapling • Good in theory, bad in practice • Browsers are moving away from OSCP
  • 39. Heartbleed Ruined The Dream • OCSP doesn’t scale • DoS targets • We can’t do this well
  • 40. Oversized Asymmetric Keys • 1024 is fine • 2048 for banks • Anything more is overkill
  • 41. Cipher Order/Choice Matters • RC4 is the best • Unless on a machine with AES- NI – Intel i7, Xeons, some AMD – Not most virtual machines!!! • First match wins http://zombe.es/post/4078724716
  • 42. Amazon EC2 • Partnered with Intel • Stop using M1!
  • 43. Is SSL really helping you? • SSL doesn’t “secure” your website – Prevents eavesdropping, tampering – Not XSS, CSRF, SQL Injection, Unpatched/out- of-date software, RCE, LFI, etc. • Consider: NULL-MD5, NULL-SHA • SSL with no encryption
  • 44. “Does this really matter?” • Seriously? • 1024 more bytes in key? • 2 more kilobytes in the X.509 cert? • Accidently using AES-256? • Really?
  • 45. “Does this really matter?”
  • 46. SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https: – Add a cache-control header! • HTTP Strict Transport Security (HSTS) – Like the browser’s cache, but for protocol access. Make (semi) far future – Wide support (>90% of SPDY capable browsers)
  • 47. Avoid These Optimizations • Domain Sharding – Hack to request multiplexing, not needed – Hurts SPDY by spreading requests out • JavaScript CDNs – These are a horrible blight on the web! – http://statichtml.com/2011/google-ajax- libraries-caching.html – https://github.com/h5bp/html5- boilerplate/pull/1327
  • 48. TOOLS
  • 51. Now on Github, GPL licensed!
  • 52. SSL/SPDY Optimization Check List • Website responds over SSL/443 • Website has NPN extension (even without SPDY for False Start) • X.509 certificate is valid • X.509 chain is short • SSL Asymmetric keys are <= 2048 • Cipher is fast! (RC-4, AES-128 if supports dedicated instructions)
  • 53. SSL/SPDY Optimization Check List • SSL session resumption is enabled (both identifiers and tickets) • No SSL compression • Website is using latest version of SPDY • HTTP permanently (301) redirects to HTTPS (including cache header) • HTTPS sends HTTP Strict Transport Security header
  • 54. Great Resources • Ivan Ristic (blog.ivanristic.com) • Adam Langley (www.imperialviolet.org) • Mark Nottingham (www.mnot.net/blog/) • Qualys SSL Labs (ssllabs.com) • SPDYCheck (spdycheck.org)
  • 56. Maximizing Performance with SPDY & SSL Billy Hoffman billy@zoompf.com @zoompf