TLS deployment in big environments

Eldar Zaitov

Transport Layer Security

› HTTP / SPDY › IMAP › POP3 › SMTP › XMPP › Whatever

TLS termination options

│ 3rdparty TLS termination › Amazon ELB, Cloudflare, etc

│ Hardware Load Balancers › F5 BigIP, etc

│ Software TLS terminators › Nginx, HAProxy, Bud, etc

Unification

› Apache › Lighttpd › Nginx › HAProxy › SEPE Balancer › Erlang › Jetty › Mail Servers

Unification

› Nginx › SEPE Balancer › Erlang › Mail servers !

› OpenSSL 1.0.1+ / 1.0.2

TLS Server Certificate options

› Extended Validation / Domain Validation / etc

› RSA / DSA / ECDSA

› MD5 / SHA1 / SHA256

› Certificate Authority

Certificate Authority

issuer

verifies

x

Site certificate

Intermediate certificate

Root CA certificate

Owner’s Name

Owner’s Public key

Issuer’s (CA) Name

Issuer’s Signature

Owner’s Name

Owner’s Public key

Issuer’s (CA) Name

Issuer’s Signature

Root Name

Root Public key

Root Signature

issuer

verifies

verifies

CA Certificate options

› RSA / DSA / ECDSA

› MD5 / SHA1 / SHA256

› OS support

› Origin Country

Certificate Authority options

› Go buy a certificate manually

› Own an Intermediate CA

› MPKI

Security vs Performance

› HTTPS can lead to latency overheads up to 4 RTT › Properly configured HTTPS should not add more than 1 RTT

Client Server

Client Hello

Server HelloCertificate(Certificate status)

100 ms

200 ms

150 ms

250 + X ms

300 + X ms

Server key exchangeServer Hello DoneClient Key Exchange

Change Cipher SpecFinished

GET / HTTP/1.0

Change Cipher Spec(New session ticket)Finished

Early termination / CDN

Early termination / CDN

Certificate status

› Certificate Revocation List › Online Certificate Status Protocol

Certificate status browser behavior

› Chromium – CRLsets, OCSP for EV › Firefox – OCSP › IE – CRL + OCSP › Opera – CRL + OCSP

!

All of them accept Stapled OCSP responses

Certificate status

› OCSP stapling › Short-Lived certs › CDN for OCSP, CRL

Perfect Forward Secrecy

!

Server Client

K = B mod p a K = A mod p b

gp

SA = g mod p a b

!B = g mod p

ba

PFS performance penalties

~3200 ECDHE-RSA-AES128-GCM-SHA256 handshakes per second on Xeon 5645 with Nginx

PFS bright side/ TLS False Start

Client Server

Client Hello

Server HelloCertificate(Certificate status)

100 ms

200 ms

150 ms

Server key exchangeServer Hello DoneClient Key Exchange

Change Cipher SpecFinished

GET / HTTP/1.0

Change Cipher Spec(New session ticket)Finished

HTTP/1.0 200 OK

PFS performance penalties / solutions

› Keep-alive

› SPDY

› TLS Session Reuse

› Elliptic Curve Cryptography

SPDY

HTTP SPDY

Browser 3 connections 3 handshakes

Server Browser 1 connection 1 handshake

Server

TLS Session Reuse

Client Hello

Server Hello

100 ms

200 ms

150 ms

GET / HTTP/1.0

Change Cipher Spec(New session ticket)Finished

Client Server

Change Cipher SpecFinished

250 ms

TLS Session Reuse (Session IDs)

Client Hello

Client random

Ciphers

Session ID

Session key

Session ID

Key

Key

Key

ServerClient│Session IDs

RFC 5246

› Stateful

› SSL 3.0+

TLS Session Reuse (Session Tickets)

Client Hello

Ciphers

Random

TLS Ticket

TLS Ticket

Key ID

IV

Enc. State

MAC

Ticket key

Session key

ServerClient│Session Tickets

RFC 5077

› Stateless

› TLS 1.0+

* Only Firefox and Chromium

Elliptic Curve Cryptography

› ECDHE vs EDH

› ECC certificates

~6300 ECDHE-ECDSA-AES128-GCM-SHA256 handshakes per second on Xeon 5645 with Nginx

* No ECDSA support in Windows XP < SP3

SHA-1 sunsetting

│No SHA-256 support in Windows XP < SP3

ECC and RSA / Dual certs

› ECC + SHA-256 for modern clients

› RSA + SHA-1 for old clients

Content Security Policy for mixed content detection

│Content-Security-Policy-Report-Only: default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report

Secure Cookies

│Set-Cookie: session=124567; HttpOnly; Secure;

HTTP Strict Transport Security

│Strict-Transport-Security: max-age=31536000; includeSubdomains;

Fix website URL in Yandex.Webmaster

│ Yandex Spider supports most modern ciphers and protocols

Configure HTTPS properly

› TLS 1.2 › PFS with AEAD ciphers › ECC for key exchange and certificates › Session Resumption › Secure Cookies › Strict Transport Security

Thank you for your attention!Questions?

Contacts

ezaitov@yandex-team.ru

kyprizel

Eldar Zaitov