maximizing spdy and ssl performance (june 2014)
DESCRIPTION
Presented at the Atlanta Web Performance Meetup Group on June 2014, Billy Hoffman from Zoompf shows how to improve the performance of your website using SPDY and SSL and discusses SSL issues such as Heartbleed and CRIMETRANSCRIPT
![Page 2: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/2.jpg)
What Is SPDY?
• “Speedy”• Next Gen Web Protocol
– Created by Google in 2009– Basis of HTTP/2 spec
• Designed for speed• Familiar Request/Response model
– Largely abstracted away– Much improved plumbing– Extra features
![Page 3: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/3.jpg)
Massive Browser Support
![Page 4: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/4.jpg)
Massive Server Support
![Page 5: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/5.jpg)
Cast of Characters
• TCP• HTTP• SSL• X.509 Certificate• Cryptography (asymmetric & symmetric) • SPDY
![Page 6: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/6.jpg)
HTTP/HTTPS
![Page 7: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/7.jpg)
HTTP/SPDY/SSL Sandwich
• SPDY encapsulates HTTP requests– Single Multiplexed stream
• Transmits contents over SSL channel
![Page 8: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/8.jpg)
Mapping To Frames
![Page 9: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/9.jpg)
Breaking To Streams
![Page 10: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/10.jpg)
Multiplexing Streams
![Page 11: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/11.jpg)
HTTP Pipelining Revisited
![Page 12: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/12.jpg)
Additional Features
• Server Push!• Header Compression• Body Compression• Better use of TCP connections• Better upgrade approach
![Page 13: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/13.jpg)
Today’s Focus
• Setting the Stage for SPDY– Can speak SSL with a server– Can create a valid SSL connection– Client and Server agree to use SPDY
• Optimizing SPDY– Optimizing SSL– Optimizing SPDY– Avoiding optimizations that hurt SPDY
• Tools to help
![Page 14: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/14.jpg)
SETTING THE STAGE FOR SPDY
![Page 15: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/15.jpg)
SSL Connectivity
• Hostname resolves• IP is reachable• Web server is listening on SSL port• Web server understands SSL• Web server knows which site you want
– Shared Hosting and SNI
![Page 16: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/16.jpg)
Listener on 443 is speaking SSL?
![Page 17: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/17.jpg)
Creating a Valid SSL connection
• Agreement on crypto algorithms
• X.509 certificate is valid
![Page 18: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/18.jpg)
X.509 Cert: Correct Domain?
![Page 19: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/19.jpg)
X.509 Cert: Valid Time Period?
![Page 20: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/20.jpg)
X.509 Cert: Is it Trusted?
![Page 21: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/21.jpg)
X.509 Cert: Is it Trusted?
• Do I trust the issuer?– If not, was it signed by someone I trust?
• Has it been revoked?– CRL lists– Online Certificate Status Protocol (OCSP)
![Page 22: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/22.jpg)
Agreeing to Use SPDY
• Client tells server it supports SPDY• Server tells client it supports SPDY• Client sends SPDY over SSL• Else, falls back to HTTP over SSL
![Page 23: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/23.jpg)
SSL Handshake
Microsoft Technet: Host TLS/SSL Workshttp://bit.ly/16Zx0en
![Page 24: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/24.jpg)
Announcing SPDY support in the SSL Handshake
Microsoft Technet: Host TLS/SSL Workshttp://bit.ly/16Zx0en
+ Ext:13172/AL
PN
+ NPN/ALPN
+ Ext:13172/ALPN
![Page 25: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/25.jpg)
ClientHello with Extension 13172
![Page 26: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/26.jpg)
ServerHello with NPN
![Page 27: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/27.jpg)
Review: Speaking SPDY
• Client resolves and connects to SSL port• Client announces SPDY support inside
ClientHello • Server announces SPDY support in
ServerHello• Client validates X.509 cert, finalized SSL
connection• SPDY conversation happens
![Page 28: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/28.jpg)
OPTIMIZING SSL/SPDY
![Page 29: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/29.jpg)
The SSL Tarpits
• SSL handshake requires 2 round trips• Certificates can be large• Certificates need to be validated• Keys can be too large• Algorithms can be slow• Revocation
![Page 30: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/30.jpg)
The SSL Handshake is Costly!
Microsoft Technet: Host TLS/SSL Workshttp://bit.ly/16Zx0en
![Page 31: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/31.jpg)
Resume SSL Session
• Avoid regenerating keys• Avoid unneeded trips• 2 methods
Microsoft Technet: Host TLS/SSL Workshttp://bit.ly/16Zx0en
![Page 32: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/32.jpg)
• Both sides keep state/cache• Reuse based on id• Widely supported
Microsoft Technet: Host TLS/SSL Workshttp://bit.ly/16Zx0en
sessionid: 3a8a…
Big cache of all ids given
out, and associated
keys/ciphers
Session Identifiers
![Page 33: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/33.jpg)
• Client stores “Magic Ticket”• RFC 5077, optional• No IIS support
Microsoft Technet: Host TLS/SSL Workshttp://bit.ly/16Zx0en
Encrypted summary of keys/ciphers, signed by
server
Verifies summary is valid, uses
values
Session Tickets
![Page 34: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/34.jpg)
SSL False Start
![Page 35: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/35.jpg)
False Start: Not Gone
• “The Failure of False Start”• Chrome still does it!
– Desktop and mobile• Any server that supports NPN! (with
forward secure)– Any server with SPDY support…– Or SSL + NPN, but only announces HTTP/1.1!
![Page 36: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/36.jpg)
Minimize the Certificate Chain
![Page 37: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/37.jpg)
OCSP Validation causes delays
![Page 38: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/38.jpg)
OCSP Stapling
• Good in theory, bad in practice• Browsers are moving away from OSCP
![Page 39: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/39.jpg)
Heartbleed Ruined The Dream
• OCSP doesn’t scale
• DoS targets• We can’t do this
well
![Page 40: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/40.jpg)
Oversized Asymmetric Keys
• 1024 is fine• 2048 for banks• Anything more is
overkill
![Page 41: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/41.jpg)
Cipher Order/Choice Matters
• RC4 is the best• Unless on a
machine with AES-NI– Intel i7, Xeons,
some AMD– Not most virtual
machines!!!• First match wins
http://zombe.es/post/4078724716
![Page 42: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/42.jpg)
Amazon EC2
• Partnered with Intel• Stop using M1!
![Page 43: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/43.jpg)
Is SSL really helping you?
• SSL doesn’t “secure” your website– Prevents eavesdropping, tampering– Not XSS, CSRF, SQL Injection, Unpatched/out-
of-date software, RCE, LFI, etc.• Consider: NULL-MD5, NULL-SHA• SSL with no encryption
![Page 44: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/44.jpg)
“Does this really matter?”
• Seriously?• 1024 more bytes in key?• 2 more kilobytes in the X.509 cert?• Accidently using AES-256?• Really?
![Page 45: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/45.jpg)
“Does this really matter?”
OMG WTF MS?
![Page 46: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/46.jpg)
SPDY Optimization
• SPDY only works over SSL• Ensure that all your traffic if over SSL• HTTP 301 direct for http: to https:
– Add a cache-control header!• HTTP Strict Transport Security (HSTS)
– Like the browser’s cache, but for protocol access. Make (semi) far future
– Wide support (>90% of SPDY capable browsers)
![Page 47: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/47.jpg)
Avoid These Optimizations
• Domain Sharding– Hack to request multiplexing, not needed– Hurts SPDY by spreading requests out
• JavaScript CDNs– These are a horrible blight on the web!– http://statichtml.com/2011/google-ajax-
libraries-caching.html– https://github.com/h5bp/html5-boilerplate/
pull/1327
![Page 48: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/48.jpg)
TOOLS
![Page 49: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/49.jpg)
SSL Labs
![Page 50: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/50.jpg)
SPDYCheck.org
![Page 51: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/51.jpg)
Now on Github, GPL licensed!
![Page 52: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/52.jpg)
SSL/SPDY Optimization Check List
• Website responds over SSL/443• Website has NPN extension (even without
SPDY for False Start)• X.509 certificate is valid• X.509 chain is short• SSL Asymmetric keys are <= 2048• Cipher is fast! (RC-4, AES-128 if supports
dedicated instructions)
![Page 53: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/53.jpg)
SSL/SPDY Optimization Check List
• SSL session resumption is enabled (both identifiers and tickets)
• No SSL compression• Website is using latest version of SPDY• HTTP permanently (301) redirects to
HTTPS (including cache header)• HTTPS sends HTTP Strict Transport
Security header
![Page 54: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/54.jpg)
Great Resources
• Ivan Ristic (blog.ivanristic.com)• Adam Langley (www.imperialviolet.org)• Mark Nottingham (www.mnot.net/blog/)
• Qualys SSL Labs (ssllabs.com)• SPDYCheck (spdycheck.org)
![Page 55: Maximizing SPDY and SSL Performance (June 2014)](https://reader037.vdocuments.us/reader037/viewer/2022103113/554bcfb2b4c905706a8b4b4b/html5/thumbnails/55.jpg)
Free Performance Assessmentzoompf.com/free