The razor's edge: Cutting your TLS baggage

Jan Schaumann shares insights into TLS cipher specs and protocols and threat analysis of dozens of vulnerabilities and attacks and explains how to effect change across a diverse legacy stack, how to collaborate with a significant number of teams on goals that may not be directly in line with their roadmaps, and how to get buy-in from your executives.

Unifying the TLS and HTTPS properties of a 23-year-old company with millions of users across dozens of edge locations while retaining client compatibility and pushing forward the security and privacy of your users’ data is a complex task. Threat analysis of TLS ciphers, protocols, and attacks are one side of the story; effecting change across various teams supporting diverse legacy stack another. Jan Schaumann shares insights into TLS cipher specs and protocols and threat analysis of dozens of vulnerabilities and attacks and explains how to effect change across a diverse legacy stack, how to collaborate with a significant number of teams on goals that may not be directly in line with their roadmaps, and how to get buy-in from your executives. Jan also explores a major initiative that spanned 18 months, beginning with a detailed analysis of the internal SSL and TLS ecosystem before covering the TLS libraries, HTTP serving stacks and HTTPS protections like HSTS and HPKP, cipher and certificate configurations, CA compatibility (e.g., across mobile clients popular in different markets), and IoT compatibility (oh dear!). Drawing on this example, Jan outlines set of requirements and best practices for serving HTTPS across a large edge environment as well as the lessons learned along the way and the unexpected wins and side effects of improving your security posture across your company.