It wasn’t easy, but Netflix will soon use HTTPS to secure video streams



Netflix will soon use the HTTPS protocol to authenticate and encrypt customer streams, a move that helps ensure what users watch stays secret. The move now leaves Amazon as one of the most noticeable no-shows to the Web encryption party.

Flipping on the HTTPS switch on Netflix's vast network of OpenConnect Appliances (OCAs) has been anything but effortless. That's because the demands of mass movie streaming can impose severe penalties when transport layer security (TLS) is enabled. Each Netflix OCA is a server-class computer with a 64-bit Xeon CPU running the FreeBSD operating system. Each box stores up to 120 terabytes of data and serves up to 40,000 simultaneous, long-lived connections, a load that requires as much as 40 gigabits per second of continuous bandwidth. Like Amazon, Netflix has long encrypted log-in pages and other sensitive parts of its website but has served movie streams over unsecured HTTP connections. Netflix took the unusual step of announcing the switch in a quarterly earnings letter that company officials sent shareholders Tuesday.

Failed experiment

Netflix first experimented with TLS-protecting customer streams six months ago when it dedicated several servers to deliver only HTTPS traffic to a subclass of users and compared the results to similarly situated servers serving HTTP streams. The results weren't encouraging. There was as much as a 53-percent capacity hit. The penalty was the result of the additional computational requirements of the encryption itself and the lost ability to use certain Netflix streaming optimizations. The optimizations involve avoiding data copies to and from a server's user space, something that's not possible with HTTPS turned on.

"This is not a capacity hit we can absorb in the short term, and we estimate the costs over time would be in the $10s to $100's of millions per year," Netflix Director of Streaming Standards Mark Watson wrote in an October 2014 e-mail to W3C public listservs. Netflix decided to forgo the HTTPS rollout until it could get costs in line.

On Wednesday, Watson was back to say Netflix had made enough progress that it was ready to begin rolling out HTTPS for both the entire site and the content itself. Desktop browser tests will be at scale in the next three months, and the job should be completed in the coming year. The performance hit was stemmed by the some TLS optimizations Netflix engineers developed for high-bandwidth FreeBSD applications. The work was presented at this year's Asia BSD conference.

"We now believe we can deploy HTTPS at a cost that, whilst significant, is well justified by the privacy returns for our users," Watson wrote in a follow-up e-mail Wednesday. He didn't quantify the current performance hit or cost that's incurred now.

Watson's account casts a new light on the conventional wisdom often cited by encryption advocates that the costs of switching to full-blown HTTPS are negligible. Netflix's experiments suggest that the costs can be driven down by engineering, but the savings don't come without a considerable amount of work.

"It’s not clear why that was, but I’m guessing it had to do with the way their servers were configured, the types of cipher suites they were using, lack of hardware, etc.," Matt Green, a Johns Hopkins University professor and encryption expert, told Ars. "The fact that they’ve made so much progress in only six months probably means that the improvements were probably not so hard to make."

In a paper that accompanied the Netflix presentation at the Asia BSD conference, engineers from Netflix and FreeBSD laid out a wealth of technical details that helped them realize the performance gains. They wrote:

Read More

Comments

Post a Comment

Popular posts from this blog

NASA’s Super Guppy Gives Mars-Bound Spacecraft A Lift

Image
Today the Orion capsule, NASA’s spacecraft designed to bring humans to Mars, starts its next phase of development at Kennedy Space Center. The remarkable part is that just this morning, that large spacecraft was at NASA’s Michoud Assembly Facility in New Orleans. In order to carry Orion from New Orleans to Cape Canaveral, NASA recruited their Super Guppy aircraft. The Super Guppy has a cargo area that is 25 feet tall, 25 feet wide and 111 feet long. The jumbo plane can carry over 26 tons worth of cargo and is often used by NASA to ferry large components around the country that would take too long (or be impossible) to ship by land or by sea. The Super Guppy’s history dates back to the Apollo program. It was used in the 1960’s to carry parts of the Saturn V rocket from California to Florida. The other option NASA had was to ship rocket stages through the Panama Canal, which would often take weeks or months longer.
Read more

Dell XPS 13 2015 Review and Giveaway

Image
At Consumer Electronics Show 2015, Dell’s XPS 13 2015 edition swept the awards for laptops, particularly in the $800 price range. Considering the sheer quality of its competition, this was no easy feat. But, dude, are you getting a Dell? Read on to find out. Before going private, Dell’s sales weren’t doing great. It had slipped from the top PC seller to somewhere near sixth place in 2007. After a contested buyout in November of 2013, Dell’s future looked uncertain. However, its movements following the acquisition proved shrewd. Rather than releasing a deluge of models, as they had under public ownership, Dell refocused its efforts on building better products. The Dell XPS 13 2015 edition is part of the first line of laptops and tablets released following its departure from public ownership. The new line of Ultrabooks still use Dell’s made-to-order approach. Buyers configure their device online, selecting from a large number of parts and value-added options, with a base price of ...
Read more

Who To Follow On Twitter, According To Marc Andreessen

Image
Well-known Tweetstormer and investor Marc Andreessen has produced a list of his favorite people to follow on Twitter. He was prompted to do so by an article in The Information called “Silicon Valley’s Frontman Problem” by Jessica Lessin, who questioned if the industry leaders most often quoted by the media (she cited Andreessen, Elon Musk, and Peter Thiel) really “represent the views of the broader Silicon Valley community.” “The more media coverage Silicon Valley gets, the more important it is that other voices get heard,” Lessin wrote. (In addition to Lessin’s thought piece, New York magazine also just published an interview with Andreessen, in which he talked about the cultural changes in Silicon Valley since he arrived in 1994 and diversity in the tech industry, among other topics.) His list “only a highly abridged selection,” Andreessen (@pmarca) tweeted, but a helpful one because his public list of tech industry-related accounts has over 600 members. Since Andreessen’s ...
Read more