Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

The razor's edge: Cutting your TLS baggage

Jan Schaumann (The Internet)
4:45pm–5:25pm Wednesday, November 1, 2017
Tools and processes
Location: Sutton South
Average rating: *****
(5.00, 1 rating)

Who is this presentation for?

  • SREs, edge engineers, HTTP stack developers, security engineers, and anybody interested in HTTPS

Prerequisite knowledge

  • A general understanding of HTTPS, TLS, PKI, and the CA ecosystem

What you'll learn

  • Explore a realistic configuration of large scale HTTPS and TLS,
  • Learn how an analysis of metrics and measurements can guide accurate impact analysis
  • Understand how to do a threat analysis of large edge ecosystems


Unifying the TLS and HTTPS properties of a 23-year-old company with millions of users across dozens of edge locations while retaining client compatibility and pushing forward the security and privacy of your users’ data is a complex task. Threat analysis of TLS ciphers, protocols, and attacks are one side of the story; effecting change across various teams supporting diverse legacy stack another.

Jan Schaumann shares insights into TLS cipher specs and protocols and threat analysis of dozens of vulnerabilities and attacks and explains how to effect change across a diverse legacy stack, how to collaborate with a significant number of teams on goals that may not be directly in line with their roadmaps, and how to get buy-in from your executives.

Jan also explores a major initiative that spanned 18 months, beginning with a detailed analysis of the internal SSL and TLS ecosystem before covering the TLS libraries, HTTP serving stacks and HTTPS protections like HSTS and HPKP, cipher and certificate configurations, CA compatibility (e.g., across mobile clients popular in different markets), and IoT compatibility (oh dear!). Drawing on this example, Jan outlines set of requirements and best practices for serving HTTPS across a large edge environment as well as the lessons learned along the way and the unexpected wins and side effects of improving your security posture across your company.

Photo of Jan Schaumann

Jan Schaumann

The Internet

Jan Schaumann is an infrastructure and information security engineer and an adjunct professor of computer science. Jan has over 15 years of experience in both small-scale deployments and enormous high-availability infrastructures serving millions of users. Today he spends most of his time worrying about online privacy and infrastructure security and integrity. You can follow him on Twitter as @jschauma.