Unifying the TLS and HTTPS properties of a 23-year-old company with millions of users across dozens of edge locations while retaining client compatibility and pushing forward the security and privacy of your users’ data is a complex task. Threat analysis of TLS ciphers, protocols, and attacks are one side of the story; effecting change across various teams supporting diverse legacy stack another.
Jan Schaumann shares insights into TLS cipher specs and protocols and threat analysis of dozens of vulnerabilities and attacks and explains how to effect change across a diverse legacy stack, how to collaborate with a significant number of teams on goals that may not be directly in line with their roadmaps, and how to get buy-in from your executives.
Jan also explores a major initiative that spanned 18 months, beginning with a detailed analysis of the internal SSL and TLS ecosystem before covering the TLS libraries, HTTP serving stacks and HTTPS protections like HSTS and HPKP, cipher and certificate configurations, CA compatibility (e.g., across mobile clients popular in different markets), and IoT compatibility (oh dear!). Drawing on this example, Jan outlines set of requirements and best practices for serving HTTPS across a large edge environment as well as the lessons learned along the way and the unexpected wins and side effects of improving your security posture across your company.
Jan Schaumann is an infrastructure and information security engineer and an adjunct professor of computer science. Jan has over 15 years of experience in both small-scale deployments and enormous high-availability infrastructures serving millions of users. Today he spends most of his time worrying about online privacy and infrastructure security and integrity. You can follow him on Twitter as @jschauma.
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org