You probably know that you can use Amazon CloudFront to distribute your
content to users around the world with a high degree of security,
low latency and high data transfer speed. CloudFront supports the
use of secure HTTPS connections from the origin to the edge and from
the edge to the client; if you enable this option data travels from
the origin to your end users in a secure, encrypted form.
Today we are making some additional improvements to the performance and security
of CloudFront’s SSL implementation. These features are enabled
automatically and work with the default CloudFront SSL certificate
as well as custom (SNI and Dedicated IP) SSL certificates.
We have improved the performance of SSL connections with the use of Session Tickets and
OCSP Stapling. Both of these features are built in to
the SSL protocol and you don’t have to make any code or configuration changes in order to
use them. In other words, you (and your users) are already benefitting from these
SSL Session Tickets – As part of the
SSL handshake process,
the client and the server exchange multiple packets as part of
a negotiation ritual that results in agreement to use a particular encryption model (cipher) and
certificate. This process entails multiple round trips and a fair amount of computation on both ends which
adds some latency to the connection process. This process has to be repeated if the connection
is broken. To avoid some of this rigmarole while keeping the connection secure,
CloudFront now implements
SSL Session Tickets. After the negotiation is complete, the SSL server
creates an encrypted session ticket and returns it to the client. Later, the client can present
this ticket to the server as an alternative to a full negotiation when resuming or restarting a
connection. The ticket reminds the server of what they have already agreed to as part of an earlier
OCSP Stapling – An SSL certificate must be validated before it can be used. The certificate
authority (CA) for the certificate must be consulted in order to ensure that the certificate is legitimate
and that it has not been revoked. In the absence of support for OCSP Stapling, the client (e.g. a web browser) will take care of this
interaction with the CA, once again at the cost of some round trips and the associated latency they bring.
now implements OCSP Stapling. This approach moves
the burden of domain name resolution (to locate the CA) and certificate validation over to CloudFront, where the results
can be cached and then attached (stapled, hence the name) to one of the packets in the SSL handshake.
The clients no longer need to handle the domain name resolution or certificate validation and benefits
from the work done on the server.
We have added support for Perfect Forward Secrecy and newer SSL ciphers.
Perfect Forward Secrecy – This feature creates a new private key for each
SSL session. In the event that a private key for a session was discovered, it could be used
only to decode that session and no other, past or future.
Newer Ciphers – CloudFront now supports a set of advanced RSA-AES ciphers.
The server and the client agree on a cipher automatically as part of the SSL handshake process.
These new features are available now at no extra charge and you may already be using them today! See
the CloudFront Pricing page for more information.