Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL...
Transcript of Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL...
![Page 2: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/2.jpg)
What is SPDY?
![Page 3: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/3.jpg)
Massive Browser Support
![Page 4: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/4.jpg)
Massive Server Support
![Page 5: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/5.jpg)
Cast of Characters
• TCP • HTTP • SSL • X.509 Certificate • Cryptography (asymmetric & symmetric) • SPDY
![Page 6: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/6.jpg)
HTTP/HTTPS
![Page 7: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/7.jpg)
HTTP/SPDY/SSL Sandwich
• SPDY encapsulates HTTP requests – Single Multiplexed stream
• Transmits contents over SSL channel
![Page 8: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/8.jpg)
Today’s Focus
• Setting the Stage for SPDY – Can speak SSL with a server – Can create a valid SSL connection – Client and Server agree to use SPDY
• Optimizing SPDY – Optimizing SSL – Optimizing SPDY – Avoiding optimizations that hurt SPDY
• Tools to help
![Page 9: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/9.jpg)
SETTING THE STAGE FOR SPDY
![Page 10: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/10.jpg)
SSL Connectivity
• Hostname resolves • IP is reachable • Web server is listening on SSL port • Web server understands SSL • Web server knows which site you want
– Shared Hosting and SNI
![Page 11: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/11.jpg)
Listener on 443 is speaking SSL?
![Page 12: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/12.jpg)
Creating a Valid SSL connection
• Agreement on crypto algorithms
• X.509 certificate is valid
![Page 13: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/13.jpg)
X.509 Cert: Correct Domain?
![Page 14: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/14.jpg)
X.509 Cert: Valid Time Period?
![Page 15: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/15.jpg)
X.509 Cert: Is it Trusted?
![Page 16: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/16.jpg)
X.509 Cert: Is it Trusted?
• Do I trust the issuer? – If not, was it signed by someone I trust?
• Has it been revoked? – CRL lists – Online Certificate Status Protocol (OCSP)
![Page 17: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/17.jpg)
Agreeing to Use SPDY
• Client tells server it supports SPDY • Server tells client it supports SPDY • Client sends SPDY over SSL • Else, falls back to HTTP over SSL
![Page 18: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/18.jpg)
SSL Handshake
Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
![Page 19: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/19.jpg)
Announcing SPDY support in the SSL Handshake
Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
+ Ext:13172/ALPN
+ NPN/ALPN
+ Ext:13172/ALPN
![Page 20: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/20.jpg)
ClientHello with Extension 13172
![Page 21: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/21.jpg)
ServerHello with NPN
![Page 22: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/22.jpg)
Review: Speaking SPDY
• Client resolves and connects to SSL port • Client announces SPDY support inside
ClientHello • Server announces SPDY support in
ServerHello • Client validates X.509 cert, finalized SSL
connection • SPDY conversation happens
![Page 23: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/23.jpg)
OPTIMIZING SSL/SPDY
![Page 24: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/24.jpg)
The SSL Tarpits
• SSL handshake requires 2 round trips • Certificates can be large • Certificates need to be validated • Keys can be too large • Algorithms can be slow
![Page 25: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/25.jpg)
The SSL Handshake is Costly!
Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
![Page 26: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/26.jpg)
Resume SSL Session
• Avoid regenerating keys • Avoid unneeded trips • 2 methods
Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
![Page 27: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/27.jpg)
• Both sides keep state/cache • Reuse based on id • Widely supported
Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
sessionid: 3a8a…
Big cache of all ids given
out, and associated
keys/ciphers
Session Identifiers
![Page 28: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/28.jpg)
• Client stores “Magic Ticket” • RFC 5077, optional • No IIS support
Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
Encrypted summary of keys/ciphers, signed by
server
Verifies summary is valid, uses
values
Session Tickets
![Page 29: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/29.jpg)
SSL False Start
![Page 30: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/30.jpg)
False Start: Not Gone
• “The Failure of False Start” • Chrome still does it!
– Desktop and mobile
• Any server that supports NPN! (with forward secure) – Any server with SPDY support… – Or SSL + NPN, but only announces HTTP/1.1!
![Page 31: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/31.jpg)
Minimize the Certificate Chain
![Page 32: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/32.jpg)
OCSP Validation causes delays
![Page 33: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/33.jpg)
OCSP Stapling
• Good in theory, bad in practice • Browsers are moving away from OSCP
![Page 34: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/34.jpg)
Oversized Asymmetric Keys
• 1024 is fine • 2048 for banks • Anything more is
overkill
![Page 35: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/35.jpg)
Cipher Order/Choice Matters
• RC4 is the best • Unless on a
machine with AES-NI – Intel i7, Xeons,
some AMD – Not most virtual
machines!!!
• First match wins
http://zombe.es/post/4078724716
![Page 36: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/36.jpg)
Is SSL really helping you?
• SSL doesn’t “secure” your website – Prevents eavesdropping, tampering – Not XSS, CSRF, SQL Injection, Unpatched/out-
of-date software, RCE, LFI, etc.
• Consider: NULL-MD5, NULL-SHA • SSL with no encryption
![Page 37: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/37.jpg)
“Does this really matter?”
• Seriously? • 1024 more bytes in key? • 2 more kilobytes in the X.509 cert? • Accidently using AES-256? • Really?
![Page 38: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/38.jpg)
“Does this really matter?”
![Page 39: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/39.jpg)
SPDY Optimization
• SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:
– Add a cache-control header!
• HTTP Strict Transport Security (HSTS) – Like the browser’s cache, but for protocol
access. Make (semi) far future – Wide support (>90% of SPDY capable
browsers)
![Page 40: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/40.jpg)
Avoid These Optimizations
• Domain Sharding – Hack to request multiplexing, not needed – Hurts SPDY by spreading requests out
• JavaScript CDNs – These are a horrible blight on the web! – http://statichtml.com/2011/google-ajax-
libraries-caching.html – https://github.com/h5bp/html5-boilerplate/
pull/1327
![Page 41: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/41.jpg)
TOOLS
![Page 42: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/42.jpg)
SSL Labs
![Page 43: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/43.jpg)
SPDYCheck.org
![Page 44: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/44.jpg)
Now on Github, GPL licensed!
![Page 45: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/45.jpg)
SSL/SPDY Optimization Check List
• Website responds over SSL/443 • Website has NPN extension (even without
SPDY for False Start) • X.509 certificate is valid • X.509 chain is short • SSL Asymmetric keys are <= 2048 • Cipher is RC4 (or AES-128 if supports
dedicated instructions)
![Page 46: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/46.jpg)
SSL/SPDY Optimization Check List
• SSL session resumption is enabled (both identifiers and tickets)
• No SSL compression • Website is using latest version of SPDY • HTTP permanently (301) redirects to
HTTPS (including cache header) • HTTPS sends HTTP Strict Transport
Security header
![Page 47: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/47.jpg)
Great Resources
• Ivan Ristic (blog.ivanristic.com) • Adam Langley (www.imperialviolet.org) • Mark Nottingham (www.mnot.net/blog/)
• Qualys SSL Labs (ssllabs.com) • SPDYCheck (spdycheck.org)
![Page 48: Maximizing Performance with SPDY & SSL - Maximizing...SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https:](https://reader034.fdocuments.in/reader034/viewer/2022052521/609ec7c258fe161d4670cb16/html5/thumbnails/48.jpg)
Free Performance Assessment zoompf.com/free