HTTP/SPDY/SSL Sandwich• SPDY encapsulates HTTP requests– Single Multiplexed stream• Transmits contents over SSL channel
Today’s Focus• Setting the Stage for SPDY– Can speak SSL with a server– Can create a valid SSL connection– Client and Server agree to use SPDY• Optimizing SPDY– Optimizing SSL– Optimizing SPDY– Avoiding optimizations that hurt SPDY• Tools to help
False Start: Not Gone• “The Failure of False Start”• Chrome still does it!– Desktop and mobile• Any server that supports NPN! (withforward secure)– Any server with SPDY support…– Or SSL + NPN, but only announces HTTP/1.1!
SPDY Optimization• SPDY only works over SSL• Ensure that all your traffic if over SSL• HTTP 301 direct for http: to https:– Add a cache-control header!• HTTP Strict Transport Security (HSTS)– Like the browser’s cache, but for protocolaccess. Make (semi) far future– Wide support (>90% of SPDY capablebrowsers)
SSL/SPDY Optimization Check List• Website responds over SSL/443• Website has NPN extension (even withoutSPDY for False Start)• X.509 certificate is valid• X.509 chain is short• SSL Asymmetric keys are <= 2048• Cipher is RC4 (or AES-128 if supportsdedicated instructions)
SSL/SPDY Optimization Check List• SSL session resumption is enabled (bothidentifiers and tickets)• No SSL compression• Website is using latest version of SPDY• HTTP permanently (301) redirects toHTTPS (including cache header)• HTTPS sends HTTP Strict TransportSecurity header
Great Resources• Ivan Ristic (blog.ivanristic.com)• Adam Langley (www.imperialviolet.org)• Mark Nottingham (www.mnot.net/blog/)• Qualys SSL Labs (ssllabs.com)• SPDYCheck (spdycheck.org)