TLS Session Resumption: Full-speed and Secure
At Cloudflare, the goal is to make websites faster and safer at scale. To achieve this, they introduced "Universal SSL" which required efficient handling of large volumes of HTTPS traffic. They used two standardized session resumption mechanisms - Session IDs RFC 5246 and Session Tickets RFC 5077. For session ID resumption, Cloudflare shares sessions within the Point of Presence (PoP) using a memcached cluster to cache all recent negotiated sessions from all hosts within the same PoP. This approach enhances the secrecy and security of session keys by encrypting all cached sessions. For session ticket resumption, they designed an in-memory key generator daemon that generates fresh, timestamped keys every hour, which are then distributed to all hosts across the globe securely without being written to disk. These measures have made HTTPS performance faster for every user and device on Cloudflare's network.
Company
Cloudflare
Date published
Feb. 24, 2015
Author(s)
Zi Lin
Word count
1182
Hacker News points
None found.
Language
English