Protip: an incomplete TLS certificate chain will force an interstitial warning on mobile browsers! On desktop, most browsers will automatically fetch the missing intermediary certificates, which will mask the problem, but on mobile the behavior is exactly the opposite: most browsers will throw an interstitial warning like the one you see below... and you definitely don't want that. Terrible user experience, terrible performance, terrible everything!
How do you know that your servers are configured correctly? You can use a tool like Qualys SSL Server Test [1] to run a check -- it'll flag missing certificates in its report. Also, as a general tip... don't forget to test on real mobile browsers. That'll help you catch stuff like this.
For more on optimizing the certificate chain, relevant HPBN section: http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#_certificate_chain_length
reference: https://plus.google.com/u/0/+IlyaGrigorik/posts/XZbup6LjoTF
Wednesday, 2 July 2014
Monday, 30 June 2014
TLS
Two Way Process
A-Symmetric Cryptography
Verify the certificate and do the public crypto.
This is the expensive part. And it is important to optimize the steps:
- Peoplize it - Make a handshake once and use it for the same session
- Session Resumption - reuse the nagotiating parameters from the previous session once we initiate a new one, so we can use that same handshake.
- So we should use HTTP keepAlive (The HTTP Header: Connection: Keep-Alive) to keep the handshake
Symmetric Cryptography
Where and how we encrypt the actual application data.
So how does it affects the traffic load?
Today it is not so expensive. Modern CPUs can handle heavy https traffic loads.
Subscribe to:
Posts (Atom)