Billy Hoffman from Zoompf shows how to improve the performance of your website using SPDY and SSL

1. Maximizing Performance
with SPDY & SSL
Billy Hoffman
billy@zoompf.com @zoompf

2. What is SPDY?

3. Massive Browser Support

4. Massive Server Support

5. Cast of Characters
• TCP
• HTTP
• SSL
• X.509 Certificate
• Cryptography (asymmetric & symmetric)
• SPDY

6. HTTP/HTTPS

7. HTTP/SPDY/SSL Sandwich
• SPDY encapsulates HTTP requests
– Single Multiplexed stream
• Transmits contents over SSL channel

8. Today’s Focus
• Setting the Stage for SPDY
– Can speak SSL with a server
– Can create a valid SSL connection
– Client and Server agree to use SPDY
• Optimizing SPDY
– Optimizing SSL
– Optimizing SPDY
– Avoiding optimizations that hurt SPDY
• Tools to help

9. SETTING THE STAGE FOR
SPDY

10. SSL Connectivity
• Hostname resolves
• IP is reachable
• Web server is listening on SSL port
• Web server understands SSL
• Web server knows which site you want
– Shared Hosting and SNI

11. Listener on 443 is speaking SSL?

12. Creating a Valid SSL connection
• Agreement on
crypto algorithms
• X.509 certificate is
valid

13. X.509 Cert: Correct Domain?

14. X.509 Cert: Valid Time Period?

15. X.509 Cert: Is it Trusted?

16. X.509 Cert: Is it Trusted?
• Do I trust the issuer?
– If not, was it signed by someone I trust?
• Has it been revoked?
– CRL lists
– Online Certificate Status Protocol (OCSP)

17. Agreeing to Use SPDY
• Client tells server it supports SPDY
• Server tells client it supports SPDY
• Client sends SPDY over SSL
• Else, falls back to HTTP over SSL

18. SSL Handshake
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en

19. Announcing SPDY support in the
SSL Handshake
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en
+
Ext:13172/A
LPN
+ NPN/ALPN
+
Ext:13172/ALPN

20. ClientHello with Extension 13172

21. ServerHello with NPN

22. Review: Speaking SPDY
• Client resolves and connects to SSL port
• Client announces SPDY support inside
ClientHello
• Server announces SPDY support in
ServerHello
• Client validates X.509 cert, finalized SSL
connection
• SPDY conversation happens

23. OPTIMIZING SSL/SPDY

24. The SSL Tarpits
• SSL handshake requires 2 round trips
• Certificates can be large
• Certificates need to be validated
• Keys can be too large
• Algorithms can be slow

25. The SSL Handshake is Costly!
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en

26. Resume SSL Session
• Avoid regenerating keys
• Avoid unneeded trips
• 2 methods
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en

27. • Both sides keep state/cache
• Reuse based on id
• Widely supported
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en
sessionid: 3a8a…
Big cache of
all ids given
out, and
associated
keys/ciphers
Session Identifiers

28. • Client stores “Magic Ticket”
• RFC 5077, optional
• No IIS support
Microsoft Technet: Host
TLS/SSL Works
http://bit.ly/16Zx0en
Encrypted summary of
keys/ciphers, signed by
server
Verifies
summary is
valid, uses
values
Session Tickets

29. SSL False Start

30. False Start: Not Gone
• “The Failure of False Start”
• Chrome still does it!
– Desktop and mobile
• Any server that supports NPN! (with
forward secure)
– Any server with SPDY support…
– Or SSL + NPN, but only announces HTTP/1.1!

31. Minimize the Certificate Chain

32. OCSP Validation causes delays

33. OCSP Stapling
• Good in theory, bad in practice
• Browsers are moving away from OSCP

34. Oversized Asymmetric Keys
• 1024 is fine
• 2048 for banks
• Anything more is
overkill

35. Cipher Order/Choice Matters
• RC4 is the best
• Unless on a
machine with AES-
NI
– Intel i7, Xeons,
some AMD
– Not most virtual
machines!!!
• First match wins
http://zombe.es/post/4078724716

36. Is SSL really helping you?
• SSL doesn’t “secure” your website
– Prevents eavesdropping, tampering
– Not XSS, CSRF, SQL Injection, Unpatched/out-
of-date software, RCE, LFI, etc.
• Consider: NULL-MD5, NULL-SHA
• SSL with no encryption

37. “Does this really matter?”
• Seriously?
• 1024 more bytes in key?
• 2 more kilobytes in the X.509 cert?
• Accidently using AES-256?
• Really?

38. “Does this really matter?”

39. SPDY Optimization
• SPDY only works over SSL
• Ensure that all your traffic if over SSL
• HTTP 301 direct for http: to https:
– Add a cache-control header!
• HTTP Strict Transport Security (HSTS)
– Like the browser’s cache, but for protocol
access. Make (semi) far future
– Wide support (>90% of SPDY capable
browsers)

40. Avoid These Optimizations
• Domain Sharding
– Hack to request multiplexing, not needed
– Hurts SPDY by spreading requests out
• JavaScript CDNs
– These are a horrible blight on the web!
– http://statichtml.com/2011/google-ajax-
libraries-caching.html
– https://github.com/h5bp/html5-
boilerplate/pull/1327

41. TOOLS

42. SSL Labs

43. SPDYCheck.org

44. Now on Github, GPL licensed!

45. SSL/SPDY Optimization Check List
• Website responds over SSL/443
• Website has NPN extension (even without
SPDY for False Start)
• X.509 certificate is valid
• X.509 chain is short
• SSL Asymmetric keys are <= 2048
• Cipher is RC4 (or AES-128 if supports
dedicated instructions)

46. SSL/SPDY Optimization Check List
• SSL session resumption is enabled (both
identifiers and tickets)
• No SSL compression
• Website is using latest version of SPDY
• HTTP permanently (301) redirects to
HTTPS (including cache header)
• HTTPS sends HTTP Strict Transport
Security header

47. Great Resources
• Ivan Ristic (blog.ivanristic.com)
• Adam Langley (www.imperialviolet.org)
• Mark Nottingham (www.mnot.net/blog/)
• Qualys SSL Labs (ssllabs.com)
• SPDYCheck (spdycheck.org)

48. Free Performance Assessment
zoompf.com/free

49. Maximizing Performance
with SPDY & SSL
Billy Hoffman
billy@zoompf.com @zoompf