1 TLS all the tubes! IsWebRTC TLS Fast Yet? It can be. Making TLS fast(er)... the nuts and bolts. +Ilya
2 All communication should be secure, always, and by default! HTTPS everywhere!
3 ... HTTP TLS TCP IP Authentication am I talking to who they claim to be? Data integrity has anyone tampered with the data? Encryption can anyone see my conversation? Transport Layer Security
4 That s great, but Doesn t TLS have high computational overhead? a. Extra servers, extra ops costs, and so on? 2. Doesn t TLS incur latency overhead? a. Extra roundtrips translate to slower sites, right?
5 TLS has exactly one performance problem: it is not used widely enough. Everything else can be optimized
6 CPU + Memory let s take a peek under the hood...
7 Computational costs Asymmetric crypto (public key) is expensive (relatively speaking) O(1 ms) per handshake Symmetric crypto can easily saturate your NIC 100Mbps+ per core with sha256 and 1024 byte blocks # upgrade to latest $> openssl version # run benchmarks $> openssl speed sha $> openssl speed ecdh
8 We have deployed TLS at a large scale using both hardware and software load balancers. We have found that modern software-based TLS implementations running on commodity CPUs are fast enough to handle heavy HTTPS traffic load without needing to resort to dedicated cryptographic hardware. Doug Beaver, Facebook.
9 On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. Many people believe that SSL/TLS takes a lot of CPU time and we hope the preceding numbers will help to dispel that. Adam Langley, Google.
10 Rough memory usage numbers TLS compression on ~1MB / connection TLS compression off ~100KB / connection Google servers ~10KB / connection 1. Disable TLS compression (security and perf) 2. We need to improve open source libraries...
11 BoringSSL is exciting! Google s fork of OpenSSL, will be used in Chrome, Android, Internal cleanup patches, reduced resource usage, and so on. Hot off the press!
12 Elliptic Curve Ephemeral Diffie-Hellman enables Forward Secrecy. In practical deployment, we found that enabling and prioritizing ECDHE cipher suites actually caused negligible increase in CPU usage. HTTP keepalives and session resumption mean that most requests do not require a full handshake, so handshake operations do not dominate our CPU usage. Jacob Hoffman-Andrews, Twitter.
13 TLS resumption 101 Re-use negotiated parameters for the symmetric cipher Eliminates asymmetric crypto on the server via reuse of previously used parameters Eliminates full roundtrip, allowing 1-RTT connection establishment
14 TLS resumption Session identifiers Server assigns session ID Server caches parameters Client sends session ID Session is resumed Session tickets Shared state is on the server Shared state is on the client Server encrypts parameters Server sets opaque ticket Client sends opaque ticket Server decrypts ticket and resumes session
15 TLS handshake with session resumption... $> openssl s_client -connect example.com:443 -tls1 -tlsextdebug -status SSL-Session: Session Identifier Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 8BE63F4825DDE238E0FE7574D D ECD BFD6FDFB861E Session-ID-ctx: Master-Key: 2FA185F11A791EFB5BA24847FA448B7A0CE73F2D095191F949A35F68CE40FD4EC389E025CCD75 Key-Arg : None Session Ticket TLS session ticket lifetime hint: 600 (seconds) TLS session ticket: e b 4c 13 9d ec-1f 1a 5a ea 89 c6 1f a7.4q.l...z b7 d5 25 4e b6 00-c2 8d ce 6c 06 8b c9 ff..%n V...l... (snip) You can enable both: older clients may not support session tickets Most servers support both, check the docs for configuration options
16 A few things to think about 1. Session identifiers a. Require a shared cache between servers for best results b. Sessions must be expired and rotated in a secure manner 2. Session tickets a. Require a shared ticket encryption key b. Shared encryption key must be rotated in a secure manner 3. Perfect Forward Secrecy (PFS) Session ticket keys have to be distributed to all the frontend machines, without being written to any kind of persistent storage, and frequently rotated. https://www.imperialviolet.org/2011/11/22/forwardsecret.html
19 Terminate TLS at the CDN edge... CDNs are not just for static content. Edge termination can significantly reduce TCP and TLS handshake costs! RTT with origin RTT with CDN edge *Before you hand over the keys to your kingdom, make your your CDN has their TLS stack optimized! You may be surprised...
20 Online Certificate Status Protocol (OCSP) Has this certificate been revoked? Stop the world and query the OCSP server DNS lookup TCP connect Wait for server response What if the OCSP check times out, gets blocked, etc? See Revocation still doesn t work.
21 Eliminating OCSP latency Chrome blocks on EV certs only Other browsers may block on all (FF) Use OCSP stapling! 1. Server retrieves the OCSP response 2. Server staples response to certificate 3. Client verifies stapled response OCSP endpoint
22 TLS handshake with stapled OCSP response... $> openssl s_client -connect example.com:443 -tls1 -tlsextdebug -status OCSP Response Data: OCSP Response Status: successful (0x0) Stapled OCSP means no blocking! Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = IL, O = StartCom Ltd., CN = StartCom Class 1 Server OCSP Signer Produced At: Feb 18 17:53: GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F40750F016A E1F5C93E5A26D58 Issuer Key Hash: EB4234D098B0AB9FF41B6B08F7CC642EEF0E2C45 Serial Number: 0B60D5 Cert Status: good OCSP stapling increases certificate size! Is this a problem for your site? Better check.
23 How many RTTs does your certificate incur? 3+ RTT TLS handshake due to 2 RTT cert? Average certificate chain depth: 2-3 certificates Average certificate size: ~1~1.5KB Plus OCSP response Many cert chains overflow the old TCP (4 packet) CWND Upgrade your servers to use IW10!
24 Check your server, you may be surprised... nginx <1.5.6, HAProxy <1.5-dev22 incur extra RTT, even w/ IW10! Capture a tcpdump of your handshake and check the exchange Some servers will pause on large certificates until they get an ACK for the first 4KB of the certificate (doh!)
25 1-RTT non-resumed handshake with TLS False Start Client sends application data immediately after Finished. Eliminates 1RTT No protocol changes... Only timing is affected In practice Some servers break (ugh) Hence, opt-in behavior...
26 Deploying False Start... Chrome and Firefox Chrome and Firefox NPN/ALPN advertisement - e.g. http/1.1 Forward secrecy ciphersuite - e.g. ECDHE Safari Forward secrecy ciphersuite Internet Explorer Blacklist + timeout If handshake fails, retry without False Start TL;DR: enable NPN advertisement and forward secrecy to get 1RTT handshakes.
27 Ingredients for a 1-RTT TLS experience 1. False Start = 1-RTT handshake for new visitors a. New users have to perform public-key crypto handshake 2. Session resumption = 1-RTT handshake for returning visitors a. Plus, we can skip public-key crypto by reusing previous parameters 3. OCSP Stapling a. No OCSP blocking to verify certificate status 4. False Start + Session Resumption + OCSP stapling a. 1-RTT handshake for new and returning visitors b. Returning visitors can skip the public-key crypto
28 What s wrong with this picture? 300ms RTT, 1.5Mbps... It s a 2-RTT handshake we know better! At least there is no OSCP overhead! It s a 2-RTT time to first byte! Large records are buffered, which delays processing!
29 TLS record size + latency gotchas... This record is split across 8 TCP packets TLS allows up to 16KB of application per record New connection + 16KB record = CWND overflow and an extra RTT Lost or delayed packet delays processing of entire record
30 Optimizing record size 1. Google servers implement dynamic record sizing a. New connections start with 1400 byte records (aka, single MTU) b. After ~1MB is sent, switch to 16K records c. After ~1s of inactivity, reset to 1400 byte records 2. Most servers don t optimize this case at all... a. HAProxy recently landed dynamic sizing patch - yay! b. Nginx recently landed ssl_buffer_size: static override - better, but meh... TL;DR: there is no perfect record size. Adjust dynamically.
31 Quick sanity check... theory is great, but does this all work in practice?
32 Tuning Nginx TLS Time To First Byte (TTTFB) Pre 1.5.7: bug for 4KB+ certs, resulting in 3RTT+ handshakes added ssl_buffer_size: 4KB record size remove an RTT with NPN and forward secrecy 1RTT handshake https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
33 Out of the box TLS performance is poor we need to fix this. No server is perfect, plenty of work to be done to improve perf.
34 There is way too much red here Bug your CDN about fixing this!
36 Getting ready for HTTP/2 (SPDY, same thing)... better perf and lower ops costs!
37 HTTP/2 and SPDY In practice, you need TLS to deploy SPDY & HTTP/2 HTTP/2 uses a single connection to mux all requests to same origin Page load time improvement with SPDY enabled... Google News Google Sites Google Drive Google Maps Median 43% 27% 23% 24% 95th percentile 44% 33% 36% 28% Improvement over HTTP/1.1 + TLS
38 Fewer connections means that... SPDY also has advantages on the server: SPDY requests consume less resources on the server SPDY requests consume less memory but a bit more CPU SPDY requires fewer Apache worker threads Hervé Servy, Neotys. s/spdy/http2/g same results.
39 An optimized TLS deployment should... Deliver 1-RTT handshake 100% of the time TLS False Start for new visitors TLS resumption for returning visitors Ensure that server is able to send full cert chain without blocking OCSP stapling to avoid blocking Optimize data delivery 1. Optimize record size to avoid unnecessary buffering delays 2. Leverage SPDY / HTTP/2 to further reduce latency and ops costs a. Leverage HTTP/2 optimizations: unshard, un-concat, etc
40 Slides bit.ly/fasttls Learn more istlsfastyet.com Thanks! Questions? +Ilya
Maximizing Performance with SPDY & SSL Billy Hoffman email@example.com @zoompf What is SPDY? Massive Browser Support Massive Server Support Cast of Characters TCP HTTP SSL X.509 Certificate Cryptography
HTTPS is Fast and Hassle-free with CloudFlare 1 888 99 FLARE firstname.lastname@example.org www.cloudflare.com In the past, organizations had to choose between performance and security when encrypting their
Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 UNCLASSIFIED Example http ://www. greatstuf f. com Wants credit card number ^ Look at lock on browser Use https
Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電
Cryptography for Software and Web Developers Part 1: Web and Crypto Hanno Böck 2014-05-28 1 / 14 HTTP and HTTPS SSL Stripping Cookies Mixed content HTTPS content, HTTP images Many webpages use some kind
Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure
State of the SSL Onion Susan Hinrichs Fall 2015 OpenSSL 1.0.1 vs 1.0.2 ATS runs against 1.0.2 How many folks are running with openssl 1.0.2? Feature drivers for adoption Support multiple certificate chains
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
NGINX SSL NGINX is commonly used to terminate encrypted SSL and TLS connections on behalf of upstream web and application servers. SSL termination at the edge of an application reduces the load on internal
CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure
Presentation This module contains all the SSL definitions. See also the SSL Security Guidance Introduction The package SSL is a static library which implements an API to use the dynamic SSL library. It
SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team email@example.com Contents Introduction to SSL/TLS Cryptography
Lab Exercise SSL/TLS Objective To observe SSL/TLS (Secure Sockets Layer / Transport Layer Security) in action. SSL/TLS is used to secure TCP connections, and it is widely used as part of the secure web:
Certificate Management PAN-OS Administrator s Guide Version 7.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
Einführung in SSL mit Wireshark Chemnitzer Linux-Tage 16. März 2014 Martin Kaiser What? SSL/TLS is the most widely used security protocol on the Internet there's lots of parameters, options, extensions
SSL/TLS provides endpoint authentication and communications privacy over the Internet using cryptography. For web browsing, email, faxing, other data transmission. In typical use, only the server is authenticated
ERserver iseries Securing applications with SSL ERserver iseries Securing applications with SSL Copyright International Business Machines Corporation 2000, 2001. All rights reserved. US Government Users
1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?
Security Engineering Part III Network Security Security Protocols (I): SSL/TLS Juan E. Tapiador firstname.lastname@example.org Department of Computer Science, UC3M Security Engineering 4th year BSc in Computer Science,
What s Your HTTPS Grade? A Case Study of HTTPS/SSL at Mid Michigan Community College Brandon Kish @kishba email@example.com About Me Director of Programming Mid Michigan Community College ~4,500 students
Communication Systems SSL Computer Science Organization I. Data and voice communication in IP networks II. Security issues in networking III. Digital telephony networks and voice over IP 2 Network Security
Lecture 7: Transport Level Security SSL/TLS CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena Adopted from previous lecture by Tony Barnard Course Admin HW/Lab 1 Graded; scores posted; to be
HTTP/2: Operable and Performant Mark Nottingham @mnot (@akamai) This talk may be disappointing. As we know, there are known knowns; there are things we know we know. We also know there are known unknowns;
High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address,
Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got
SSL Certificates in IPBrick iportalmais July 18, 2013 1 Introduction This document intends to guide you through the generation and installation procedure of an SSL certificate in an IPBrick server. 2 SSL
CHAPTER 4 This chapter describes the steps required to configure a CSS as a virtual SSL server for SSL termination. It contains the following major sections: Overview of SSL Termination Creating an SSL
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > SSL Report: (220.127.116.11) Assessed on: Sun, 03 Jan 2016 14:36:01 UTC HIDDEN Clear cache Scan Another» Summary Overall
present the complete guide to ssl and seo The Complete Guide to Setting up SSL and SEO Google recently announced that HTTPS is now being used as a ranking signal in its search engine algorithm. Websites
Astaro Security Gateway V8 Remote Access via SSL Configuring ASG and Client 1. Introduction This guide contains complementary information on the Administration Guide and the Online Help. If you are not
SBClient SSL Ehab AbuShmais Agenda SSL Background U2 SSL Support SBClient SSL 2 What Is SSL SSL (Secure Sockets Layer) Provides a secured channel between two communication endpoints Addresses all three
OpenADR 2.0 Security Jim Zuber, CTO QualityLogic, Inc. Security Overview Client and server x.509v3 certificates TLS 1.2 with SHA256 ECC or RSA cipher suites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
Security Protocols Security Protocols Necessary to communicate securely across untrusted network Provide integrity, confidentiality, authenticity of communications Based on previously discussed cryptographic
Due to the fact that nearly all businesses have websites (as well as government agencies and individuals) a large enthusiasm exists for setting up facilities on the Web for electronic commerce. Of course
Lab Exercise SSL/TLS Objective To observe SSL/TLS (Secure Sockets Layer / Transport Layer Security) in action. SSL/TLS is used to secure TCP connections, and it is widely used as part of the secure web:
Secure Socket Layer Secure Socket Layer Introduction Overview of SSL What SSL is Useful For Introduction Secure Socket Layer (SSL) Industry-standard method for protecting web communications. - Data encryption
SPDY and What to Consider for HTTP/2.0 mike belshe Why am I here? SPDY started over 3 years ago Reduced latency is now proven It's better for the network Let's focus on interoperability Who is using SPDY?
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1 We have learned Symmetric encryption: DES, 3DES, AES,
1. Introduction... 2 2. Remote Access via SSL... 2 2.1. Configuration of the Astaro Security Gateway... 3 2.2. Configuration of the Remote Client...10 2.2.1. Astaro User Portal: Getting Software and Certificates...10
HTTP Strict Transport Security Performance: Is There An Issue? Does the Performance Working Group Have RecommendaAons for Tuning SSL/TLS For Internet2 Class Traffic? Joe St Sauver, Ph.D. firstname.lastname@example.org
TLS/SSL in distributed systems Eugen Babinciuc Contents 1. Introduction to TLS/SSL 2. A quick review of cryptography 3. TLS/SSL in distributed systems 4. Conclusions Introduction to TLS/SSL TLS/SSL History
MEASURING WORKLOAD PERFORMANCE IS THE INFRASTRUCTURE A PROBLEM? Ashutosh Shinde Performance Architect email@example.com Validating if the workload generated by the load generating tools is applied
Transport Level Security Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
Ciphire Mail Technical Introduction Abstract Ciphire Mail is cryptographic software providing email encryption and digital signatures. The Ciphire Mail client resides on the user's computer between the
The Case for Prefetching and Prevalidating TLS Server Certificates Emily Stark Massachusetts Institute of Technology firstname.lastname@example.org Dinesh Israni Carnegie Mellon University email@example.com Collin Jackson
What Layer? /TLS IT443 Network Security Administration Instructor: Bo Sheng Application TCP IPSec IP LAN layer Application TCP IP LAN layer 1 2 History v2 proposed and deployed in Netscape 1.1 (1995) PCT
SSL: Secure Socket Layer Steven M. Bellovin February 12, 2009 1 Choices in Key Exchange We have two basic ways to do key exchange, public key (with PKI or pki) or KDC Which is better? What are the properties
TLS and SRTP for Skype Connect Technical Datasheet Copyright Skype Limited 2011 Introducing TLS and SRTP Protocols help protect enterprise communications Skype Connect now provides Transport Layer Security
Release Notes for Epilog for Windows v1.7/v1.8 InterSect Alliance International Pty Ltd Page 1 of 22 About this document This document provides release notes for Snare Enterprise Epilog for Windows release
SSL/TLS 1 Transport Layer Security Protocols Secure Socket Layer (SSL) Originally designed to by Netscape to secure HTTP Version 2 is being replaced by version 3 Subsequently became Internet Standard known
Harden SSL/TLS v1.01 Windows hardening tool Thierry ZOLLER http://blog.zoller.lu http://www.g-sec.lu G-SEC is a non-commercial and independent group of Information Security Specialists based in Luxembourg.
1 First Midterm for ECE374 03/24/11 Solution!! Note: In all written assignments, please show as much of your work as you can. Even if you get a wrong answer, you can get partial credit if you show your
Efficiently handling SSL transactions is one cornerstone of your IT security infrastructure. Do you know how the protocol actually works? Wesley Chou Inside SSL: The Secure Sockets Layer Protocol Inside
SSL You re FREE Guide to (Secure Sockets Layer) What is a Digital Certificate? SSL Certificates, also known as public key certificates or Digital Certificates, are essential to secure Internet browsing.
SSL/TLS EJ Jung 10/18/10 Authenticity of Public Keys Bob s key? private key Bob public key Problem: How does know that the public key she received is really Bob s public key? Distribution of Public Keys!
mod_ssl Overview Reference The nice thing about standards is that there are so many to choose from. And if you really don t like all the standards you just have to wait another year until the one arises
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
Network Security  Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Whitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS A number of applications today use SSL and TLS as a security layer. Unsniff allows authorized users to analyze these applications by decrypting
Matt Welsh firstname.lastname@example.org Google, Inc. http://www.flickr.com/photos/nao-cha/2660459899/ Why Mobile Performance is Hard In a nutshell: Despite 20 years of research and engineering, mobile performance still
Bit Chat: A Peer-to-Peer Instant Messenger Shreyas Zare email@example.com https://technitium.com December 20, 2015 Abstract. Bit Chat is a peer-to-peer instant messaging concept, allowing one-to-one
Cryptography in AllJoyn Greg Zaverucha Software Engineer, Microsoft 10 November 2015 AllSeen Alliance 1 Agenda 1. Review of AllJoyn security features 2. Authentication and security protocols 3. Comparison
Three attacks in SSL protocol and their solutions Hong lei Zhang Department of Computer Science The University of Auckland firstname.lastname@example.org Abstract Secure Socket Layer (SSL) and Transport Layer
Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL Security architecture and protocol stack Applicat. (SHTTP) SSL/TLS TCP IPSEC IP Secure applications: PGP, SHTTP,
DIY Internet with MinimaLT Low-latency secure networking JSConf.EU 2013 Andy Wingo email@example.com Compiler hacker at Igalia Recently: ES6 generators in V8, SpiderMonkey (sponsored by Bloomberg) Not a
Testing & Assuring Mobile End User Experience Before Production Neotys Agenda Introduction The challenges Best practices NeoLoad mobile capabilities Mobile devices are used more and more At Home In 2014,
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > okidirect.co.uk SSL Report: okidirect.co.uk (18.104.22.168) Assessed on: Fri, 26 Jun 2015 12:51:45 UTC HIDDEN Clear cache
AKAMAI WHITE PAPER Delivering Dynamic Web Content in Cloud Computing Applications: HTTP resource download performance modelling Delivering Dynamic Web Content in Cloud Computing Applications 1 Overview
Instructions on TLS/SSL Certificates on Yealink Phones 1. Summary... 1 2. Encryption, decryption and the keys... 1 3. SSL connection flow... 1 4. The instructions to a certificate... 2 4.1 Phone acts as
How to conifgure NGS for with certificate chain Contents How to conifgure NGS for with certificate chain... 1 Idea:... 1 Setup:... 1 Configuration steps:... 1 Test login with client and verify certificate
Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics