Some pitfalls to watch out for when serving your site using HTTPS.

2. MOVING TO HTTPS
Toronto Web Performance Meetup
March 15, 2016
Blake Crosby

3. About Me
• Operations Team Lead at
FreshBooks
• Twitter: @blakecrosby
• E-Mail: me@blakecrosby.com

4. Why HTTPS
• August 6, 2015
– Google will rank HTTPS URLs higher in search results1
• December 17, 2015
– Google now prefers HTTPS URLs over HTTP2
• Prevents Eavesdropping.
• No longer a performance bottleneck3. (Or is it?)
1.
h%ps://webmasters.googleblog.com/2014/08/h%ps-­‐as-­‐ranking-­‐signal.html
2.
h%ps://security.googleblog.com/2015/12/indexing-­‐h%ps-­‐pages-­‐by-­‐default.html
3.
h%ps://istlsfastyet.com/

5. The Website

6. What Powers freshbooks.com

7. What Happened?!

8. What Happened?!

9. Why?

10. Why?

11. Third Parties!

12. Keep In Mind:
• Every domain on your page must do TLS
negotiation and associated work:
– Agree on which cipher to use
– Exchange keys
– Validate the certificate
– Encrypt data and transmit
• Don’t use domain sharding!

13. Speeding Things Up
• HSTS
• TLS Session Resumption
• OCSP Stapling

14. Redirecting HTTP -> HTTPS
• Can use a HTTP Redirect (301)
– Two Requests
• Use HSTS!
– One Request

15. How HSTS Works
Strict-Transport-Security: max-age=31536000;
includeSubDomains; preload
HTTP
Header
Apply
this
to
all
subdomains.
Expiry
9me
(1
year)
Allow
the
domain
to
be
preloaded
in
browser
databases.

16. 307 Internal Redirect
2ms
vs.
73ms

17. TLS Session Resumption

18. OCSP Stapling
• Two ways we can check to see if a certificate has
been revoked:
– In the client (browser)
– By the server (and “stapling” the results to the
certificate bundle.

19. OCSP Stapling

20. Regular OCSP
openssl s_client -connect blakecrosby.freshbooks.com:443 -status
CONNECTED(00000003)
OCSP response: no response sent

21. OCSP Stapling
openssl s_client -connect www.freshbooks.com:443 -status
CONNECTED(00000003)
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 61D76CA33B92B93A461053EF6CE06633503EB3E0
Produced At: Mar 15 15:57:17 2016 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 0C9E4D9C3DEDEF84D891E972C7CF8406BC197B07
Issuer Key Hash: 96DE61F1BD1C1629531CC0CC7D3B830040E61A7C
Serial Number: 11218BFF0DF887065B1C2B2F6E284415D8A7
Cert Status: good
This Update: Mar 15 15:57:17 2016 GMT
Next Update: Mar 19 15:57:17 2016 GMT

22. CDN Considerations
h%ps://istlsfastyet.com/#cdn-­‐paas

23. HTTPS to the Origin?
Increase
in
Origin
Latency

24. Putting It All Together
• Every third party script (domain) will be served
over HTTPS.
• Make sure you use a CDN that supports TLS
Optimizations.
• Only use TLS from Edge to Origin if necessary.

25. Questions / Comments
• Thank You!