HTTPS is Fast and Hassle-free with CloudFlare



Similar documents
White Paper. Enhancing Website Security with Algorithm Agility

SSL BEST PRACTICES OVERVIEW

Public Key Infrastructure (PKI)

Installation and usage of SSL certificates: Your guide to getting it right

SSL/TLS: The Ugly Truth

Maximizing Performance with SPDY & SSL. Billy Hoffman

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

present the complete guide to ssl and seo

Using etoken for SSL Web Authentication. SSL V3.0 Overview

SSL Handshake Analysis

Overview. SSL Cryptography Overview CHAPTER 1

EXECUTIVE BRIEF. IT and Business Professionals Say Website Attacks are Persistent and Varied. In this Paper

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Is Your SSL Website and Mobile App Really Secure?

How To Encrypt Data With Encryption

Chapter 17. Transport-Level Security

Network Security Essentials Chapter 5

Chapter 7 Transport-Level Security

SSL Report: ebfl.srpskabanka.rs ( )

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

, ) I Transport Layer Security

SSL Protect your users, start with yourself

[SMO-SFO-ICO-PE-046-GU-

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

2014 IBM Corporation

Integrated SSL Scanning

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

HTTPS Inspection with Cisco CWS

How To Use Quantum Rbs Inc. Small Business Backup

Extended SSL Certificates

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

CRYPTOGRAPHY IN NETWORK SECURITY


Security Protocols/Standards

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Configuring SSL Termination

Integrated SSL Scanning

Sync Security and Privacy Brief

How To Understand And Understand The Security Of A Key Infrastructure

HMRC Secure Electronic Transfer (SET)

SSL Server Rating Guide

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

A Comparison of Protocols for Device Management and Software Updates

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

New CICS support for Secure Sockets Layer

The Secure Sockets Layer (SSL)

SSL A discussion of the Secure Socket Layer

QUIC. Quick UDP Internet Connections. Multiplexed Stream Transport over UDP. IETF-88 TSV Area Presentation

Personal Secure Certificate

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Transport Layer Security Protocols

Fast, Scalable And Secure Web Hosting For Entrepreneurs

White Paper. Securing and Integrating File Transfers Over the Internet

Lesson 10: Attacks to the SSL Protocol

Cornerstones of Security

Dashlane Security Whitepaper

BEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options

beginners guide Beginners Guide Certificates the best decision when considering your online security options.

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

NIST Test Personal Identity Verification (PIV) Cards

BEGINNERS GUIDE BEGINNERS GUIDE TO SSL CERTIFICATES: MAKING THE BEST CHOICE WHEN CONSIDERING YOUR ONLINE SECURITY OPTIONS

Table of Contents. Chapter 1: Installing Endpoint Application Control. Chapter 2: Getting Support. Index

Spreed Keeps Online Meetings Secure. Online meeting controls and security mechanism.

Security Technical. Overview. BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

RemotelyAnywhere Getting Started Guide

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Communication Systems SSL

SSL Certificates 101

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER

Understanding Digital Certificates and Secure Sockets Layer (SSL)

ERserver. iseries. Secure Sockets Layer (SSL)

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Beginner s Guide to SSL Certificates

BlackBerry Enterprise Server 5.0 SP3 and BlackBerry 7.1

ERserver. iseries. Securing applications with SSL

Cleaning Encrypted Traffic

Secure Use of the New NHS Network (N3): Good Practice Guidelines

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track ISSN: A. Langley Google June 2015

Lecture 7: Transport Level Security SSL/TLS. Course Admin

Understanding Secure Shell Host Keys

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Web Security Considerations

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Transcription:

HTTPS is Fast and Hassle-free with CloudFlare 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

In the past, organizations had to choose between performance and security when encrypting their web traffic. Even if they were willing to trade increased latency for higher security, operational difficulties limited broad adoption. This situation has changed. With recent developments in HTTPS technology, such as SPDY, sending requests over HTTPS can be faster than using regular HTTP. Also, the complicated operational issues associated with sending encrypted data can be handled by third parties like CloudFlare. It s time for enterprises to take another look at securing their web traffic. What Exactly is HTTPS? The Hypertext Transfer Protocol (HTTP) is the foundation for transferring data on the Internet, and HTTPS builds on this by adding Transport Layer Security (TLS), ensuring a reliable and secure way to send data over the Internet. Every new HTTPS connection requires a TLS handshake in order to prove the identity of the server and establish shared encryption keys. A TLS handshake does four things: It agrees on connection protocols and parameters, such as cryptographic and signature algorithms It authenticates the server, so users can be sure they are communicating with the intended party It generates a master encryption key that will be used to encrypt and decrypt data It verifies that none of the previous steps were modified by a third party Unfortunately, each of these steps requires that information be sent back and forth between the client and server, adding latency to HTTPS connections and noticeably slowing the initial page load. This degraded user experience is why many companies have steered away from using HTTPS for all of their website traffic. Lightning-fast HTTPS CloudFlare makes HTTPS connections lightning-fast by keeping up with the latest performance-enhancing features: ELLIPTIC CURVE CRYPTOGRAPHY Smaller certificates with smaller keys result in faster connection establishment. SPDY PROTOCOL SPDY enables faster-than-http download speeds with multiplexing, and is on by default for all customers. SPDY is the inspiration for the new HTTP/2 standard, which CloudFlare will support in the coming year. HTTPS SESSION RESUMPTION Connections to sites you have already visited are jump-started making connection times faster. OCSP STAPLING Allows browsers to quickly check if a TLS certificate is valid. GLOBALLY DISTRIBUTED NETWORK Reduces connection latency by shortening the distance information has to travel via our CDN. 2

Elliptic Curves The first part of the TLS handshake, authenticating servers and (optionally) clients, adds the most latency to an HTTPS connection of any steps.typically, authentication is done using RSA keys. RSA keys were the standard for years, but they ve run into some problems. As mathematicians have discovered new factoring techniques and computing power has continued to grow, cracking RSA keys has become easier and cheaper. The response has been to create larger, more secure keys. While this did improve security, it also increased latency for TLS handshakes because larger keys means that more data must be sent back and forth to authenticate a connection. CloudFlare is leading the industry in adopting the latest HTTPS key technology called Elliptic Curve Cryptography or ECC. ECC offers the same level of security as RSA, but with much smaller keys. The use of smaller ECC keys speeds up HTTPS in two ways: Smaller keys mean smaller certificates and less data to pass around to establish an HTTPS connection. Smaller keys have faster algorithms for generating signatures because the math involves smaller numbers. The graph below shows that a highly secure RSA key uses 3,248 bits, while an Elliptic Curve key of the same strength only requires 256 bits: Protection RSA keys ECC keys Short-term protection (10 years) 1,776 bits 192 bits Medium-term protection (20 years) 2,432 bits 224 bits Long-term protection (30 years) 3,248 bits 256 bits *From: http://www.ecrypt.eu.org/ecrypt2/documents/d.spa.20.pdf (pp. 30-31) SPDY SPDY is a protocol developed by Google to speed up web traffic. SPDY requires HTTPS, and CloudFlare utilizes it to speed up encrypted traffic. SPDY improves HTTPS performance through: MULTIPLEXING Standard HTTP requests need to make multiple TCP requests to retrieve all objects on a web page, and each new TCP connection adds latency to the request. With multiplexing, SPDY uses only one connection for all requests, greatly reducing latency. SMART DOWNLOAD ORDER: Objects are sent as they are ready, increasing performance by not holding up delivery because of one slow object. SPDY also allows servers to push data to browsers in anticipation of requests. HEADER COMPRESSION: By compressing request and response headers for HTTPS, common strings that appear in headers don t need to be sent across the network, and every byte not sent reduces bandwidth and increases performance. 3

CloudFlare s HTTPS Session Resumption Another way CloudFlare is speeding up HTTPS is with session resumption. Session resumption reduces the number of trips a TLS handshake needs to make by resuming a previously established session with a server using an abbreviated handshake. The performance gains of a reduced handshake can be seen in the following graph: 100 fresh handshakes 100 session resumptions 9.433 sec 4.212 sec 0 1 2 3 4 5 6 7 8 9 10 Time (seconds) OCSP Stapling One of the less frequently discussed but most significant performance hits to HTTPS is the OCSP/CRL check. To support secure connections over HTTPS, a website must have a TLS certificate. Unfortunately, these certificates can be stolen or compromised, and if that happens the Certificate Authority that issued the certificate can revoke it. To confirm that the certificate being used to set up an HTTPS connection is valid, browsers must check the status of that certificate with each new request using a Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP). A CRL is a list of all revoked certificates. By requesting an updated list, a browser can verify that the certificate being used is valid. OCSP, on the other hand, only checks the validity of the certificate being used rather than the entire list. This method is preferable to CRL because less data needs to be sent and parsed by the browser. Both of the CRL and OCSP security checks add latency to HTTPS request, but CloudFlare uses a technique called OCSP stapling to optimize this process. OCSP stapling reduces connection times by eliminating the need for browsers to check the revocation status of a certificate. While OCSP Stapling is a great way to increase HTTPS performance, it s not widely supported by web servers. 4

Part of the problem is that it often requires a significant technical investment by web administrators. While that investment may not make sense for many individual sites, CloudFlare is in a unique position to enable OCSP stapling for a large number of sites in one fell swoop. CloudFlare s Globally Distributed Network One of the easiest ways to reduce HTTPS latency is by moving servers closer to end users. CloudFlare s CDN ensures shorter distance between a web server and end users which speeds up the TLS handshake. For example, a TLS handshake taking place between a user in San Francisco and a server in London would have lots of latency because of the distance, but if the server is close to the visitor the latency is greatly reduced. TLS Handshake Without CloudFlare Visitor San Francisco Origin server London TLS Handshake With CloudFlare Visitor San Francisco CloudFlare San Jose Origin server London CloudFlare Handles HTTPS Operational Complexities Along with making HTTPS fast using the latest technology, CloudFlare also makes HTTPS easy to implement by taking care of many of the operational complexities associated with TLS certificates. One of the biggest hassles for companies wanting secure HTTPS traffic is dealing with TLS certificate and key management. Not only are TLS certificates expensive and time consuming to request, they can be difficult to install to secure traffic properly. With CloudFlare, you never have to worry about installing a certificate, and we take care of other issues as well: CREATING AND STORING KEYS Once authentication and encryption keys are generated, they need to be safeguarded. If a server holding TLS keys is compromised and your keys are stolen, hackers could impersonate your site and decrypt your traffic giving them access to sensitive data like credit card numbers, medical information, and passwords. To protect against this vulnerability, CloudFlare holds TLS keys in an encrypted data store. MULTIPLE CERTIFICATE AND KEY MANAGEMENT If you have more than one website running on HTTPS, then you will be managing multiple certificates and multiple keys. This can get confusing, and any mixups will create browser errors that may give your users pause, or cause them to abandon your site entirely. 5

CERTIFICATE EXPIRATION It s vital to keep track of when each TLS certificate expires. Expired certificate can cause system issues, and create a gap in security. CloudFlare keeps track of the certificates we have issued for our users and reissues them before they expire. If you already have your own certificate, you can simply upload it to CloudFlare, and we ll take care of the rest. Otherwise, we will automatically issue you a new certificate. CloudFlare s HTTPS is More Secure By keeping up with up with industry best practices as they evolve, CloudFlare ensures the highest standard for HTTPS security. When the POODLE vulnerability that targeted SSLv3 was announced, CloudFlare responded within an hour to disable SSLv3 by default across our entire network, keeping our customers protected from possible attacks. Deprecating RC4 Most recently, we ve deprecated RC4 and introduced the ChaCha/Poly1305 cipher suite. CloudFlare led the industry in doing away with RC4 and adopting the ChaCha/Poly to improve security and performance for mobile devices. To follow through with our mission to build a more secure web, we share our TLS configurations on GitHub and open-source our cryptographic contributions and cipher implementations. SHA-1 to SHA-2 migration We plan to migrate SHA 1 to SHA 2 as our default signature algorithm in the fall of 2015. The leading browser providers Google, Microsoft, and Mozilla previously announced they would start sunsetting the SHA 1 cryptographic signature algorithm because it no longer met their security requirements. In response to this announcement, CloudFlare will follow suit by serving the more secure SHA 2 certificates when we detect visitors browsers can support this new standard. But when they can t, CloudFlare will instead fall back to SHA1 because we are committed to supporting HTTPS in all browsers, regardless of device or geographic location. Extra Security with Keyless SSL CloudFlare offers an added layer of security to HTTPS with our Keyless SSL technology. Keyless SSL allows TLS keys to be stored on machines administered by our customers, ensuring that if there are regulatory restrictions on sharing private keys, CloudFlares encryption technology is still an option. The other customer benefit of Keyless SSL is that it lets sites use CloudFlare s HTTPS service while retaining on-premise custody of their private keys. This is a revolutionary solution for customers that have policies or technical obstacles preventing them from sharing their site s SSL key with CloudFlare. 6

1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com 2015 CloudFlare Inc. All rights reserved. The CloudFlare logo is a trademark of CloudFlare. All other company and product names may be trademarks of the respective companies with which they are associated.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information