Successfully reported this slideshow.
Maximizing Performancewith SPDY & SSLBilly Hoffmanbilly@zoompf.com @zoompf
What is SPDY?
Massive Browser Support
Massive Server Support
Cast of Characters• TCP• HTTP• SSL• X.509 Certificate• Cryptography (asymmetric & symmetric)• SPDY
HTTP/HTTPS
HTTP/SPDY/SSL Sandwich• SPDY encapsulates HTTP requests– Single Multiplexed stream• Transmits contents over SSL channel
Today’s Focus• Setting the Stage for SPDY– Can speak SSL with a server– Can create a valid SSL connection– Client and Serv...
SETTING THE STAGE FORSPDY
SSL Connectivity• Hostname resolves• IP is reachable• Web server is listening on SSL port• Web server understands SSL• Web...
Listener on 443 is speaking SSL?
Creating a Valid SSL connection• Agreement oncrypto algorithms• X.509 certificate isvalid
X.509 Cert: Correct Domain?
X.509 Cert: Valid Time Period?
X.509 Cert: Is it Trusted?
X.509 Cert: Is it Trusted?• Do I trust the issuer?– If not, was it signed by someone I trust?• Has it been revoked?– CRL l...
Agreeing to Use SPDY• Client tells server it supports SPDY• Server tells client it supports SPDY• Client sends SPDY over S...
SSL HandshakeMicrosoft Technet: HostTLS/SSL Workshttp://bit.ly/16Zx0en
Announcing SPDY support in theSSL HandshakeMicrosoft Technet: HostTLS/SSL Workshttp://bit.ly/16Zx0en+Ext:13172/ALPN+ NPN/A...
ClientHello with Extension 13172
ServerHello with NPN
Review: Speaking SPDY• Client resolves and connects to SSL port• Client announces SPDY support insideClientHello• Server a...
OPTIMIZING SSL/SPDY
The SSL Tarpits• SSL handshake requires 2 round trips• Certificates can be large• Certificates need to be validated• Keys ...
The SSL Handshake is Costly!Microsoft Technet: HostTLS/SSL Workshttp://bit.ly/16Zx0en
Resume SSL Session• Avoid regenerating keys• Avoid unneeded trips• 2 methodsMicrosoft Technet: HostTLS/SSL Workshttp://bit...
• Both sides keep state/cache• Reuse based on id• Widely supportedMicrosoft Technet: HostTLS/SSL Workshttp://bit.ly/16Zx0e...
• Client stores “Magic Ticket”• RFC 5077, optional• No IIS supportMicrosoft Technet: HostTLS/SSL Workshttp://bit.ly/16Zx0e...
SSL False Start
False Start: Not Gone• “The Failure of False Start”• Chrome still does it!– Desktop and mobile• Any server that supports N...
Minimize the Certificate Chain
OCSP Validation causes delays
OCSP Stapling• Good in theory, bad in practice• Browsers are moving away from OSCP
Oversized Asymmetric Keys• 1024 is fine• 2048 for banks• Anything more isoverkill
Cipher Order/Choice Matters• RC4 is the best• Unless on amachine with AES-NI– Intel i7, Xeons,some AMD– Not most virtualma...
Is SSL really helping you?• SSL doesn’t “secure” your website– Prevents eavesdropping, tampering– Not XSS, CSRF, SQL Injec...
“Does this really matter?”• Seriously?• 1024 more bytes in key?• 2 more kilobytes in the X.509 cert?• Accidently using AES...
“Does this really matter?”
SPDY Optimization• SPDY only works over SSL• Ensure that all your traffic if over SSL• HTTP 301 direct for http: to https:...
Avoid These Optimizations• Domain Sharding– Hack to request multiplexing, not needed– Hurts SPDY by spreading requests out...
TOOLS
SSL Labs
SPDYCheck.org
Now on Github, GPL licensed!
SSL/SPDY Optimization Check List• Website responds over SSL/443• Website has NPN extension (even withoutSPDY for False Sta...
SSL/SPDY Optimization Check List• SSL session resumption is enabled (bothidentifiers and tickets)• No SSL compression• Web...
Great Resources• Ivan Ristic (blog.ivanristic.com)• Adam Langley (www.imperialviolet.org)• Mark Nottingham (www.mnot.net/b...
Free Performance Assessmentzoompf.com/free
Maximizing Performancewith SPDY & SSLBilly Hoffmanbilly@zoompf.com @zoompf
Upcoming SlideShare
Loading in …5
×

Maximizing Performance with SPDY and SSL

6,072 views

Published on

Billy Hoffman from Zoompf shows how to improve the performance of your website using SPDY and SSL

Published in: Technology, Education
  • Be the first to comment

Maximizing Performance with SPDY and SSL

  1. 1. Maximizing Performancewith SPDY & SSLBilly Hoffmanbilly@zoompf.com @zoompf
  2. 2. What is SPDY?
  3. 3. Massive Browser Support
  4. 4. Massive Server Support
  5. 5. Cast of Characters• TCP• HTTP• SSL• X.509 Certificate• Cryptography (asymmetric & symmetric)• SPDY
  6. 6. HTTP/HTTPS
  7. 7. HTTP/SPDY/SSL Sandwich• SPDY encapsulates HTTP requests– Single Multiplexed stream• Transmits contents over SSL channel
  8. 8. Today’s Focus• Setting the Stage for SPDY– Can speak SSL with a server– Can create a valid SSL connection– Client and Server agree to use SPDY• Optimizing SPDY– Optimizing SSL– Optimizing SPDY– Avoiding optimizations that hurt SPDY• Tools to help
  9. 9. SETTING THE STAGE FORSPDY
  10. 10. SSL Connectivity• Hostname resolves• IP is reachable• Web server is listening on SSL port• Web server understands SSL• Web server knows which site you want– Shared Hosting and SNI
  11. 11. Listener on 443 is speaking SSL?
  12. 12. Creating a Valid SSL connection• Agreement oncrypto algorithms• X.509 certificate isvalid
  13. 13. X.509 Cert: Correct Domain?
  14. 14. X.509 Cert: Valid Time Period?
  15. 15. X.509 Cert: Is it Trusted?
  16. 16. X.509 Cert: Is it Trusted?• Do I trust the issuer?– If not, was it signed by someone I trust?• Has it been revoked?– CRL lists– Online Certificate Status Protocol (OCSP)
  17. 17. Agreeing to Use SPDY• Client tells server it supports SPDY• Server tells client it supports SPDY• Client sends SPDY over SSL• Else, falls back to HTTP over SSL
  18. 18. SSL HandshakeMicrosoft Technet: HostTLS/SSL Workshttp://bit.ly/16Zx0en
  19. 19. Announcing SPDY support in theSSL HandshakeMicrosoft Technet: HostTLS/SSL Workshttp://bit.ly/16Zx0en+Ext:13172/ALPN+ NPN/ALPN+Ext:13172/ALPN
  20. 20. ClientHello with Extension 13172
  21. 21. ServerHello with NPN
  22. 22. Review: Speaking SPDY• Client resolves and connects to SSL port• Client announces SPDY support insideClientHello• Server announces SPDY support inServerHello• Client validates X.509 cert, finalized SSLconnection• SPDY conversation happens
  23. 23. OPTIMIZING SSL/SPDY
  24. 24. The SSL Tarpits• SSL handshake requires 2 round trips• Certificates can be large• Certificates need to be validated• Keys can be too large• Algorithms can be slow
  25. 25. The SSL Handshake is Costly!Microsoft Technet: HostTLS/SSL Workshttp://bit.ly/16Zx0en
  26. 26. Resume SSL Session• Avoid regenerating keys• Avoid unneeded trips• 2 methodsMicrosoft Technet: HostTLS/SSL Workshttp://bit.ly/16Zx0en
  27. 27. • Both sides keep state/cache• Reuse based on id• Widely supportedMicrosoft Technet: HostTLS/SSL Workshttp://bit.ly/16Zx0ensessionid: 3a8a…Big cache ofall ids givenout, andassociatedkeys/ciphersSession Identifiers
  28. 28. • Client stores “Magic Ticket”• RFC 5077, optional• No IIS supportMicrosoft Technet: HostTLS/SSL Workshttp://bit.ly/16Zx0enEncrypted summary ofkeys/ciphers, signed byserverVerifiessummary isvalid, usesvaluesSession Tickets
  29. 29. SSL False Start
  30. 30. False Start: Not Gone• “The Failure of False Start”• Chrome still does it!– Desktop and mobile• Any server that supports NPN! (withforward secure)– Any server with SPDY support…– Or SSL + NPN, but only announces HTTP/1.1!
  31. 31. Minimize the Certificate Chain
  32. 32. OCSP Validation causes delays
  33. 33. OCSP Stapling• Good in theory, bad in practice• Browsers are moving away from OSCP
  34. 34. Oversized Asymmetric Keys• 1024 is fine• 2048 for banks• Anything more isoverkill
  35. 35. Cipher Order/Choice Matters• RC4 is the best• Unless on amachine with AES-NI– Intel i7, Xeons,some AMD– Not most virtualmachines!!!• First match winshttp://zombe.es/post/4078724716
  36. 36. Is SSL really helping you?• SSL doesn’t “secure” your website– Prevents eavesdropping, tampering– Not XSS, CSRF, SQL Injection, Unpatched/out-of-date software, RCE, LFI, etc.• Consider: NULL-MD5, NULL-SHA• SSL with no encryption
  37. 37. “Does this really matter?”• Seriously?• 1024 more bytes in key?• 2 more kilobytes in the X.509 cert?• Accidently using AES-256?• Really?
  38. 38. “Does this really matter?”
  39. 39. SPDY Optimization• SPDY only works over SSL• Ensure that all your traffic if over SSL• HTTP 301 direct for http: to https:– Add a cache-control header!• HTTP Strict Transport Security (HSTS)– Like the browser’s cache, but for protocolaccess. Make (semi) far future– Wide support (>90% of SPDY capablebrowsers)
  40. 40. Avoid These Optimizations• Domain Sharding– Hack to request multiplexing, not needed– Hurts SPDY by spreading requests out• JavaScript CDNs– These are a horrible blight on the web!– http://statichtml.com/2011/google-ajax-libraries-caching.html– https://github.com/h5bp/html5-boilerplate/pull/1327
  41. 41. TOOLS
  42. 42. SSL Labs
  43. 43. SPDYCheck.org
  44. 44. Now on Github, GPL licensed!
  45. 45. SSL/SPDY Optimization Check List• Website responds over SSL/443• Website has NPN extension (even withoutSPDY for False Start)• X.509 certificate is valid• X.509 chain is short• SSL Asymmetric keys are <= 2048• Cipher is RC4 (or AES-128 if supportsdedicated instructions)
  46. 46. SSL/SPDY Optimization Check List• SSL session resumption is enabled (bothidentifiers and tickets)• No SSL compression• Website is using latest version of SPDY• HTTP permanently (301) redirects toHTTPS (including cache header)• HTTPS sends HTTP Strict TransportSecurity header
  47. 47. Great Resources• Ivan Ristic (blog.ivanristic.com)• Adam Langley (www.imperialviolet.org)• Mark Nottingham (www.mnot.net/blog/)• Qualys SSL Labs (ssllabs.com)• SPDYCheck (spdycheck.org)
  48. 48. Free Performance Assessmentzoompf.com/free
  49. 49. Maximizing Performancewith SPDY & SSLBilly Hoffmanbilly@zoompf.com @zoompf

×