new icn messageflickr-free-ic3d pan white


Notes from Ilya Grigorik's talk at Velocity Conf EU 2014:


* There is a group at Google named HTTPS-100. They intend to get all data encrypted at rest and in transit

* HTTPS is a ranking signal in SEO – just a weak one at the moment

* Use to verify your configuration, and to optimise

* Read Bulletproof SSL + TLS

* Modern commodity hardware is easily good enough to do TLS at scale. Modern crypto can be faster than older stuff, as well as being more secure

* TLS False Start can minimise RTT. Enable NPN advertisement to get this benefit

* TLS handshake should be 1RTT only. If it's not, you're doing it wrong

* Submit your website to the HTST preload list to ensure browsers never go to the HTTP version of your site, even if the user types it in

* Ensure you're running the latest versions of stuff for performance improvements:

** 3.7 + linux kernel

** OpenSSL 1.0j+ (need to ask about Ilya about LibreSSL)

** latest server build

* TLS handshake is the expensive part, so the problem becomes how to optimise this

** Use keep alive

** session resumption removes 1RTT:

*** store state on the server using session identifiers, or

*** store state on the client using session tickets

* openssl has tools to look at connection details

* It's a balance between performance, and acceptable Perfect Forward Security eg your session keys should expire at some point

* nginx can log session resumption

** process the logs and see what your session resumption ratio is

* SPDY / HTTP/2.0 will make this faster due to multiplexing single socket per origin


0 faves
Taken on November 17, 2014