Balancing Performance and Security of SSL/TLS Deployments

On 11th December 2014 at The Financial Times as part of Balancing Performance and Security of SSL/TLS Deployments

With the surveillance revelations of 2013 and an general push towards using more secure means of communication (such as through protocols like SPDY and HTTP/2.0) an understanding of HTTPS (and the underlying SSL/TLS protocols) is becoming more and more important.

Using HTTPS means balancing two competing requirements: performance and security. Understanding large range of SSL/TLS ciphers (such as 3DES, RC4, AES-CBC, AES-GCM, ChaCha20-Poly1305) takes some understanding from both a performance and security perspective.

Throw into the mix the fact that not all clients (i.e. web browsers) support all those protocols and the fact that some of them have serious security problems and you’ve got a recipe for confusion. And that different ciphers have difference performance depending on the computer (for example, an Android phone and a desktop Mac have very different performance characteristics).

This talk will detail the following:

1. A refresher on how SSL/TLS works explaining the authentication and encryption.

2. A refresher on the various SSL/TLS ciphers used for encrypting the data stream.

3. A look at which ciphers are believed to be insecure.

4. A look at the performance characteristics of different ciphers on different browsers and hardware.

5. Concrete recommendations on how to choose the best selection of SSL/TLS ciphers for both performance and security and achieve an A+ rating on the SSLLabs test.

View session slides