SlideShare uma empresa Scribd logo

Maximizing SPDY and SSL Performance (June 2014)

Transferir como PPTX, PDF
Zoompf
Zoompf

Presented at the Atlanta Web Performance Meetup Group on June 2014, Billy Hoffman from Zoompf shows how to improve the performance of your website using SPDY and SSL and discusses SSL issues such as Heartbleed and CRIME

Software
1 de 56
Maximizing Performance with SPDY & SSL (June 2014) Billy Hoffman billy@zoompf.com @zoompf
What Is SPDY? • “Speedy” • Next Gen Web Protocol – Created by Google in 2009 – Basis of HTTP/2 spec • Designed for speed • Familiar Request/Response model – Largely abstracted away – Much improved plumbing – Extra features
Massive Browser Support
Massive Server Support
Cast of Characters • TCP • HTTP • SSL • X.509 Certificate • Cryptography (asymmetric & symmetric) • SPDY
HTTP/HTTPS
HTTP/SPDY/SSL Sandwich • SPDY encapsulates HTTP requests – Single Multiplexed stream • Transmits contents over SSL channel
Mapping To Frames
Breaking To Streams
Multiplexing Streams
HTTP Pipelining Revisited
Additional Features • Server Push! • Header Compression • Body Compression • Better use of TCP connections • Better upgrade approach
Today’s Focus • Setting the Stage for SPDY – Can speak SSL with a server – Can create a valid SSL connection – Client and Server agree to use SPDY • Optimizing SPDY – Optimizing SSL – Optimizing SPDY – Avoiding optimizations that hurt SPDY • Tools to help
SETTING THE STAGE FOR SPDY
SSL Connectivity • Hostname resolves • IP is reachable • Web server is listening on SSL port • Web server understands SSL • Web server knows which site you want – Shared Hosting and SNI
Listener on 443 is speaking SSL?
Creating a Valid SSL connection • Agreement on crypto algorithms • X.509 certificate is valid
X.509 Cert: Correct Domain?
X.509 Cert: Valid Time Period?
X.509 Cert: Is it Trusted?
X.509 Cert: Is it Trusted? • Do I trust the issuer? – If not, was it signed by someone I trust? • Has it been revoked? – CRL lists – Online Certificate Status Protocol (OCSP)
Agreeing to Use SPDY • Client tells server it supports SPDY • Server tells client it supports SPDY • Client sends SPDY over SSL • Else, falls back to HTTP over SSL
SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
Announcing SPDY support in the SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en + Ext:13172/A LPN + NPN/ALPN + Ext:13172/ALPN
ClientHello with Extension 13172
ServerHello with NPN
Review: Speaking SPDY • Client resolves and connects to SSL port • Client announces SPDY support inside ClientHello • Server announces SPDY support in ServerHello • Client validates X.509 cert, finalized SSL connection • SPDY conversation happens
OPTIMIZING SSL/SPDY
The SSL Tarpits • SSL handshake requires 2 round trips • Certificates can be large • Certificates need to be validated • Keys can be too large • Algorithms can be slow • Revocation
The SSL Handshake is Costly! Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
Resume SSL Session • Avoid regenerating keys • Avoid unneeded trips • 2 methods Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
• Both sides keep state/cache • Reuse based on id • Widely supported Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en sessionid: 3a8a… Big cache of all ids given out, and associated keys/ciphers Session Identifiers
• Client stores “Magic Ticket” • RFC 5077, optional • No IIS support Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en Encrypted summary of keys/ciphers, signed by server Verifies summary is valid, uses values Session Tickets
SSL False Start
False Start: Not Gone • “The Failure of False Start” • Chrome still does it! – Desktop and mobile • Any server that supports NPN! (with forward secure) – Any server with SPDY support… – Or SSL + NPN, but only announces HTTP/1.1!
Minimize the Certificate Chain
OCSP Validation causes delays
OCSP Stapling • Good in theory, bad in practice • Browsers are moving away from OSCP
Heartbleed Ruined The Dream • OCSP doesn’t scale • DoS targets • We can’t do this well
Oversized Asymmetric Keys • 1024 is fine • 2048 for banks • Anything more is overkill
Cipher Order/Choice Matters • RC4 is the best • Unless on a machine with AES- NI – Intel i7, Xeons, some AMD – Not most virtual machines!!! • First match wins http://zombe.es/post/4078724716
Amazon EC2 • Partnered with Intel • Stop using M1!
Is SSL really helping you? • SSL doesn’t “secure” your website – Prevents eavesdropping, tampering – Not XSS, CSRF, SQL Injection, Unpatched/out- of-date software, RCE, LFI, etc. • Consider: NULL-MD5, NULL-SHA • SSL with no encryption
“Does this really matter?” • Seriously? • 1024 more bytes in key? • 2 more kilobytes in the X.509 cert? • Accidently using AES-256? • Really?
“Does this really matter?”
SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https: – Add a cache-control header! • HTTP Strict Transport Security (HSTS) – Like the browser’s cache, but for protocol access. Make (semi) far future – Wide support (>90% of SPDY capable browsers)
Avoid These Optimizations • Domain Sharding – Hack to request multiplexing, not needed – Hurts SPDY by spreading requests out • JavaScript CDNs – These are a horrible blight on the web! – http://statichtml.com/2011/google-ajax- libraries-caching.html – https://github.com/h5bp/html5- boilerplate/pull/1327
TOOLS
SSL Labs
SPDYCheck.org
Now on Github, GPL licensed!
SSL/SPDY Optimization Check List • Website responds over SSL/443 • Website has NPN extension (even without SPDY for False Start) • X.509 certificate is valid • X.509 chain is short • SSL Asymmetric keys are <= 2048 • Cipher is fast! (RC-4, AES-128 if supports dedicated instructions)
SSL/SPDY Optimization Check List • SSL session resumption is enabled (both identifiers and tickets) • No SSL compression • Website is using latest version of SPDY • HTTP permanently (301) redirects to HTTPS (including cache header) • HTTPS sends HTTP Strict Transport Security header
Great Resources • Ivan Ristic (blog.ivanristic.com) • Adam Langley (www.imperialviolet.org) • Mark Nottingham (www.mnot.net/blog/) • Qualys SSL Labs (ssllabs.com) • SPDYCheck (spdycheck.org)
Free Performance Assessment zoompf.com/free
Maximizing Performance with SPDY & SSL Billy Hoffman billy@zoompf.com @zoompf

Recomendados

Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLZoompf
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)Guy Podjarny
 
Altitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation WorkshopAltitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation WorkshopFastly
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinarWolfgang Kandek
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX, Inc.
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012Cloudflare
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youCloudflare
 
Are we security yet
Are we security yetAre we security yet
Are we security yetCristian Vat
 

Recomendados

Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLZoompf
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)Guy Podjarny
 
Altitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation WorkshopAltitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation WorkshopFastly
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinarWolfgang Kandek
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX, Inc.
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012Cloudflare
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youCloudflare
 
Are we security yet
Are we security yetAre we security yet
Are we security yetCristian Vat
 
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSWPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSPaul Schreiber
 
Benchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsBenchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsNGINX, Inc.
 
Varnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developersVarnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developersCarlos Abalde
 
Revisiting HTTP/2
Revisiting HTTP/2Revisiting HTTP/2
Revisiting HTTP/2Fastly
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...OVHcloud
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Cloudflare
 
Content Access Control with Varnish Cache
Content Access Control with Varnish CacheContent Access Control with Varnish Cache
Content Access Control with Varnish CacheCarlos Abalde
 
High Performance WordPress II
High Performance WordPress IIHigh Performance WordPress II
High Performance WordPress IIBarry Abrahamson
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas Anna Morrison
 
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...PHP Conference Argentina
 
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)Grant Norwood
 
Russia vps
Russia vpsRussia vps
Russia vpsManisha Rawat
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryDeploy360 Programme (Internet Society)
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionseanwalbran
 
Altitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkAltitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkFastly
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
WordPress Hosting Survival Guide
WordPress Hosting Survival Guide WordPress Hosting Survival Guide
WordPress Hosting Survival Guide WordCamp Sydney
 
SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012Fabian Lange
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS ProvidersCloudflare
 
SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0Andreas Bjärlestam
 
SPDY
SPDYSPDY
SPDYAndreas Bjärlestam
 

Mais conteúdo relacionado

Mais procurados

WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSWPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSPaul Schreiber
 
Benchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsBenchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsNGINX, Inc.
 
Varnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developersVarnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developersCarlos Abalde
 
Revisiting HTTP/2
Revisiting HTTP/2Revisiting HTTP/2
Revisiting HTTP/2Fastly
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...OVHcloud
 
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Cloudflare
 
Content Access Control with Varnish Cache
Content Access Control with Varnish CacheContent Access Control with Varnish Cache
Content Access Control with Varnish CacheCarlos Abalde
 
High Performance WordPress II
High Performance WordPress IIHigh Performance WordPress II
High Performance WordPress IIBarry Abrahamson
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas Anna Morrison
 
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...PHP Conference Argentina
 
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)Grant Norwood
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionseanwalbran
 
Altitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkAltitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkFastly
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
WordPress Hosting Survival Guide
WordPress Hosting Survival Guide WordPress Hosting Survival Guide
WordPress Hosting Survival Guide WordCamp Sydney
 
SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012Fabian Lange
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS ProvidersCloudflare
 

Mais procurados (20)

WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSWPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
 
Benchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsBenchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and Results
 
Varnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developersVarnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developers
 
Revisiting HTTP/2
Revisiting HTTP/2Revisiting HTTP/2
Revisiting HTTP/2
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
 
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
 
Content Access Control with Varnish Cache
Content Access Control with Varnish CacheContent Access Control with Varnish Cache
Content Access Control with Varnish Cache
 
High Performance WordPress II
High Performance WordPress IIHigh Performance WordPress II
High Performance WordPress II
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
 
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
 
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
 
Russia vps
Russia vpsRussia vps
Russia vps
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transition
 
Altitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkAltitude SF 2017: The power of the network
Altitude SF 2017: The power of the network
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
 
WordPress Hosting Survival Guide
WordPress Hosting Survival Guide WordPress Hosting Survival Guide
WordPress Hosting Survival Guide
 
SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS Providers
 

Semelhante a Maximizing SPDY and SSL Performance (June 2014)

HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016Jason Stangroome
 
Next generation web protocols
Next generation web protocolsNext generation web protocols
Next generation web protocolsDaniel Austin
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Amazon Web Services
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureTiago Mendo
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?CheapSSLsecurity
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to knowGökhan Şengün
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
 
State of the Web
State of the WebState of the Web
State of the WebCASCouncil
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSwhj76337
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Markus Schlichting
 
curl and new technologies
curl and new technologiescurl and new technologies
curl and new technologiesDaniel Stenberg
 

Semelhante a Maximizing SPDY and SSL Performance (June 2014) (20)

SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0
 
SPDY
SPDYSPDY
SPDY
 
HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016
 
SPDY
SPDYSPDY
SPDY
 
Next generation web protocols
Next generation web protocolsNext generation web protocols
Next generation web protocols
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
 
SPDY and HTTP/2
SPDY and HTTP/2SPDY and HTTP/2
SPDY and HTTP/2
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
State of the Web
State of the WebState of the Web
State of the Web
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
 
curl and new technologies
curl and new technologiescurl and new technologies
curl and new technologies
 

Último

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 

Último (20)

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 

Maximizing SPDY and SSL Performance (June 2014)

  • 1. Maximizing Performance with SPDY & SSL (June 2014) Billy Hoffman billy@zoompf.com @zoompf
  • 2. What Is SPDY? • “Speedy” • Next Gen Web Protocol – Created by Google in 2009 – Basis of HTTP/2 spec • Designed for speed • Familiar Request/Response model – Largely abstracted away – Much improved plumbing – Extra features
  • 5. Cast of Characters • TCP • HTTP • SSL • X.509 Certificate • Cryptography (asymmetric & symmetric) • SPDY
  • 7. HTTP/SPDY/SSL Sandwich • SPDY encapsulates HTTP requests – Single Multiplexed stream • Transmits contents over SSL channel
  • 12. Additional Features • Server Push! • Header Compression • Body Compression • Better use of TCP connections • Better upgrade approach
  • 13. Today’s Focus • Setting the Stage for SPDY – Can speak SSL with a server – Can create a valid SSL connection – Client and Server agree to use SPDY • Optimizing SPDY – Optimizing SSL – Optimizing SPDY – Avoiding optimizations that hurt SPDY • Tools to help
  • 14. SETTING THE STAGE FOR SPDY
  • 15. SSL Connectivity • Hostname resolves • IP is reachable • Web server is listening on SSL port • Web server understands SSL • Web server knows which site you want – Shared Hosting and SNI
  • 16. Listener on 443 is speaking SSL?
  • 17. Creating a Valid SSL connection • Agreement on crypto algorithms • X.509 certificate is valid
  • 19. X.509 Cert: Valid Time Period?
  • 20. X.509 Cert: Is it Trusted?
  • 21. X.509 Cert: Is it Trusted? • Do I trust the issuer? – If not, was it signed by someone I trust? • Has it been revoked? – CRL lists – Online Certificate Status Protocol (OCSP)
  • 22. Agreeing to Use SPDY • Client tells server it supports SPDY • Server tells client it supports SPDY • Client sends SPDY over SSL • Else, falls back to HTTP over SSL
  • 23. SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 24. Announcing SPDY support in the SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en + Ext:13172/A LPN + NPN/ALPN + Ext:13172/ALPN
  • 27. Review: Speaking SPDY • Client resolves and connects to SSL port • Client announces SPDY support inside ClientHello • Server announces SPDY support in ServerHello • Client validates X.509 cert, finalized SSL connection • SPDY conversation happens
  • 29. The SSL Tarpits • SSL handshake requires 2 round trips • Certificates can be large • Certificates need to be validated • Keys can be too large • Algorithms can be slow • Revocation
  • 30. The SSL Handshake is Costly! Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 31. Resume SSL Session • Avoid regenerating keys • Avoid unneeded trips • 2 methods Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 32. • Both sides keep state/cache • Reuse based on id • Widely supported Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en sessionid: 3a8a… Big cache of all ids given out, and associated keys/ciphers Session Identifiers
  • 33. • Client stores “Magic Ticket” • RFC 5077, optional • No IIS support Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en Encrypted summary of keys/ciphers, signed by server Verifies summary is valid, uses values Session Tickets
  • 35. False Start: Not Gone • “The Failure of False Start” • Chrome still does it! – Desktop and mobile • Any server that supports NPN! (with forward secure) – Any server with SPDY support… – Or SSL + NPN, but only announces HTTP/1.1!
  • 38. OCSP Stapling • Good in theory, bad in practice • Browsers are moving away from OSCP
  • 39. Heartbleed Ruined The Dream • OCSP doesn’t scale • DoS targets • We can’t do this well
  • 40. Oversized Asymmetric Keys • 1024 is fine • 2048 for banks • Anything more is overkill
  • 41. Cipher Order/Choice Matters • RC4 is the best • Unless on a machine with AES- NI – Intel i7, Xeons, some AMD – Not most virtual machines!!! • First match wins http://zombe.es/post/4078724716
  • 42. Amazon EC2 • Partnered with Intel • Stop using M1!
  • 43. Is SSL really helping you? • SSL doesn’t “secure” your website – Prevents eavesdropping, tampering – Not XSS, CSRF, SQL Injection, Unpatched/out- of-date software, RCE, LFI, etc. • Consider: NULL-MD5, NULL-SHA • SSL with no encryption
  • 44. “Does this really matter?” • Seriously? • 1024 more bytes in key? • 2 more kilobytes in the X.509 cert? • Accidently using AES-256? • Really?
  • 45. “Does this really matter?”
  • 46. SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https: – Add a cache-control header! • HTTP Strict Transport Security (HSTS) – Like the browser’s cache, but for protocol access. Make (semi) far future – Wide support (>90% of SPDY capable browsers)
  • 47. Avoid These Optimizations • Domain Sharding – Hack to request multiplexing, not needed – Hurts SPDY by spreading requests out • JavaScript CDNs – These are a horrible blight on the web! – http://statichtml.com/2011/google-ajax- libraries-caching.html – https://github.com/h5bp/html5- boilerplate/pull/1327
  • 48. TOOLS
  • 51. Now on Github, GPL licensed!
  • 52. SSL/SPDY Optimization Check List • Website responds over SSL/443 • Website has NPN extension (even without SPDY for False Start) • X.509 certificate is valid • X.509 chain is short • SSL Asymmetric keys are <= 2048 • Cipher is fast! (RC-4, AES-128 if supports dedicated instructions)
  • 53. SSL/SPDY Optimization Check List • SSL session resumption is enabled (both identifiers and tickets) • No SSL compression • Website is using latest version of SPDY • HTTP permanently (301) redirects to HTTPS (including cache header) • HTTPS sends HTTP Strict Transport Security header
  • 54. Great Resources • Ivan Ristic (blog.ivanristic.com) • Adam Langley (www.imperialviolet.org) • Mark Nottingham (www.mnot.net/blog/) • Qualys SSL Labs (ssllabs.com) • SPDYCheck (spdycheck.org)
  • 56. Maximizing Performance with SPDY & SSL Billy Hoffman billy@zoompf.com @zoompf