MOVING TO HTTPS

Toronto Web Performance Meetup March 15, 2016 Blake Crosby

About Me

•  Operations Team Lead at FreshBooks

•  Twitter: @blakecrosby

•  E-Mail: me@blakecrosby.com

Why HTTPS

•  August 6, 2015 –  Google will rank HTTPS URLs higher in search results1

•  December 17, 2015

–  Google now prefers HTTPS URLs over HTTP2

•  Prevents Eavesdropping.

•  No longer a performance bottleneck3. (Or is it?)

1.  h%ps://webmasters.googleblog.com/2014/08/h%ps-­‐as-­‐ranking-­‐signal.html  2.  h%ps://security.googleblog.com/2015/12/indexing-­‐h%ps-­‐pages-­‐by-­‐default.html  3.  h%ps://istlsfastyet.com/    

The Website

What Powers freshbooks.com

What Happened?!

What Happened?!

Why?

Why?

Third Parties!

Keep In Mind:

•  Every domain on your page must do TLS negotiation and associated work:

–  Agree on which cipher to use

–  Exchange keys

–  Validate the certificate

–  Encrypt data and transmit

•  Don’t use domain sharding!

Speeding Things Up

•  HSTS

•  TLS Session Resumption

•  OCSP Stapling

Redirecting HTTP -> HTTPS

•  Can use a HTTP Redirect (301) –  Two Requests

•  Use HSTS!

–  One Request

How HSTS Works

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

HTTP  Header  

Apply  this  to  all  subdomains.  

Expiry  9me  (1  year)  

Allow  the  domain  to  be  preloaded  in    browser  databases.  

307 Internal Redirect

2ms  vs.  73ms    

TLS Session Resumption

OCSP Stapling

•  Two ways we can check to see if a certificate has been revoked:

–  In the client (browser)

–  By the server (and “stapling” the results to the certificate bundle.

OCSP Stapling

Regular OCSP openssl s_client -connect blakecrosby.freshbooks.com:443 -statusCONNECTED(00000003)OCSP response: no response sent

OCSP Stapling openssl s_client -connect www.freshbooks.com:443 -statusCONNECTED(00000003)OCSP response: ======================================OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 61D76CA33B92B93A461053EF6CE06633503EB3E0 Produced At: Mar 15 15:57:17 2016 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 0C9E4D9C3DEDEF84D891E972C7CF8406BC197B07 Issuer Key Hash: 96DE61F1BD1C1629531CC0CC7D3B830040E61A7C Serial Number: 11218BFF0DF887065B1C2B2F6E284415D8A7 Cert Status: good This Update: Mar 15 15:57:17 2016 GMT Next Update: Mar 19 15:57:17 2016 GMT

CDN Considerations

h%ps://istlsfastyet.com/#cdn-­‐paas  

HTTPS to the Origin?

Increase  in  Origin  Latency  

Putting It All Together

•  Every third party script (domain) will be served over HTTPS.

•  Make sure you use a CDN that supports TLS Optimizations.

•  Only use TLS from Edge to Origin if necessary.

Questions / Comments

•  Thank You!