Upload
yandex
View
90
Download
6
Tags:
Embed Size (px)
DESCRIPTION
Как мы делали TLS в Яндексе
Citation preview
TLS deployment in big environments
Eldar Zaitov
Transport Layer Security
› HTTP / SPDY › IMAP › POP3 › SMTP › XMPP › Whatever
TLS termination options
│ 3rdparty TLS termination › Amazon ELB, Cloudflare, etc
│ Hardware Load Balancers › F5 BigIP, etc
│ Software TLS terminators › Nginx, HAProxy, Bud, etc
Unification
› Apache › Lighttpd › Nginx › HAProxy › SEPE Balancer › Erlang › Jetty › Mail Servers
Unification
› Nginx › SEPE Balancer › Erlang › Mail servers !
› OpenSSL 1.0.1+ / 1.0.2
TLS Server Certificate options
› Extended Validation / Domain Validation / etc
› RSA / DSA / ECDSA
› MD5 / SHA1 / SHA256
› Certificate Authority
Certificate Authority
issuer
verifies
x
Site certificate
Intermediate certificate
Root CA certificate
Owner’s Name
Owner’s Public key
Issuer’s (CA) Name
Issuer’s Signature
Owner’s Name
Owner’s Public key
Issuer’s (CA) Name
Issuer’s Signature
Root Name
Root Public key
Root Signature
issuer
verifies
verifies
CA Certificate options
› RSA / DSA / ECDSA
› MD5 / SHA1 / SHA256
› OS support
› Origin Country
Certificate Authority options
› Go buy a certificate manually
› Own an Intermediate CA
› MPKI
Security vs Performance
› HTTPS can lead to latency overheads up to 4 RTT › Properly configured HTTPS should not add more than 1 RTT
Client Server
Client Hello
Server HelloCertificate(Certificate status)
100 ms
200 ms
150 ms
250 + X ms
300 + X ms
Server key exchangeServer Hello DoneClient Key Exchange
Change Cipher SpecFinished
GET / HTTP/1.0
Change Cipher Spec(New session ticket)Finished
Early termination / CDN
Early termination / CDN
Certificate status
› Certificate Revocation List › Online Certificate Status Protocol
Certificate status browser behavior
› Chromium – CRLsets, OCSP for EV › Firefox – OCSP › IE – CRL + OCSP › Opera – CRL + OCSP
!
All of them accept Stapled OCSP responses
Certificate status
› OCSP stapling › Short-Lived certs › CDN for OCSP, CRL
Perfect Forward Secrecy
!
Server Client
K = B mod p a K = A mod p b
gp
SA = g mod p a b
!B = g mod p
ba
PFS performance penalties
~3200 ECDHE-RSA-AES128-GCM-SHA256 handshakes per second on Xeon 5645 with Nginx
PFS bright side/ TLS False Start
Client Server
Client Hello
Server HelloCertificate(Certificate status)
100 ms
200 ms
150 ms
Server key exchangeServer Hello DoneClient Key Exchange
Change Cipher SpecFinished
GET / HTTP/1.0
Change Cipher Spec(New session ticket)Finished
HTTP/1.0 200 OK
PFS performance penalties / solutions
› Keep-alive
› SPDY
› TLS Session Reuse
› Elliptic Curve Cryptography
SPDY
HTTP SPDY
Browser 3 connections 3 handshakes
Server Browser 1 connection 1 handshake
Server
TLS Session Reuse
Client Hello
Server Hello
100 ms
200 ms
150 ms
GET / HTTP/1.0
Change Cipher Spec(New session ticket)Finished
Client Server
Change Cipher SpecFinished
250 ms
TLS Session Reuse (Session IDs)
Client Hello
Client random
Ciphers
Session ID
Session key
Session ID
Key
Key
Key
ServerClient│Session IDs
RFC 5246
› Stateful
› SSL 3.0+
TLS Session Reuse (Session Tickets)
Client Hello
Ciphers
Random
TLS Ticket
TLS Ticket
Key ID
IV
Enc. State
MAC
Ticket key
Session key
ServerClient│Session Tickets
RFC 5077
› Stateless
› TLS 1.0+
* Only Firefox and Chromium
Elliptic Curve Cryptography
› ECDHE vs EDH
› ECC certificates
~6300 ECDHE-ECDSA-AES128-GCM-SHA256 handshakes per second on Xeon 5645 with Nginx
* No ECDSA support in Windows XP < SP3
SHA-1 sunsetting
│No SHA-256 support in Windows XP < SP3
ECC and RSA / Dual certs
› ECC + SHA-256 for modern clients
› RSA + SHA-1 for old clients
Content Security Policy for mixed content detection
│Content-Security-Policy-Report-Only: default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report
Secure Cookies
│Set-Cookie: session=124567; HttpOnly; Secure;
HTTP Strict Transport Security
│Strict-Transport-Security: max-age=31536000; includeSubdomains;
Fix website URL in Yandex.Webmaster
│ Yandex Spider supports most modern ciphers and protocols
Configure HTTPS properly
› TLS 1.2 › PFS with AEAD ciphers › ECC for key exchange and certificates › Session Resumption › Secure Cookies › Strict Transport Security
Thank you for your attention!Questions?