Google Hastens Secure Connections In Chrome - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Cloud Storage
News
5/20/2011
05:15 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Hastens Secure Connections In Chrome

An experimental technique for making secure network connections more quickly delivers "stunning" results.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack WebSessions
When a Web client attempts to establish a secure connection with a Web server using the SSL/TSL protocol, it's a formal process, with more back and forth negotiation than necessary.

Google is fanatically devoted to speed, because Web apps depend on speed to compete with desktop apps and slow response times lead to a poor user experience. So last year, Google's computer scientists proposed a way to shorten the technical handshake ritual.

Now their proposal, Transport Layer Security (TLS) False Start, has been tested and the results are in: SSL False Start significantly reduces the amount of time required to establish a secure connection.

"We implemented SSL False Start in Chrome 9, and the results are stunning, yielding a significant decrease in overall SSL connection setup times," explained Google software engineer Mike Belshe in a blog post. "SSL False Start reduces the latency of a SSL handshake by 30%. That is a big number."

Belshe notes that this is particularly important because more and more companies are making SSL the default method of connection. Facebook and Twitter both did so earlier this year.

SSL protects information sent over a network from being easily accessed by those in a position to intercept the data packets. The now infamous Firesheep browser plug-in enables a form of interception known as a man-in-the-middle attack.

Google made SSL an option in Gmail in 2008 and turned it on by default in 2010.

Shortly thereafter, in May 2010, departing FTC commissioner Pamela Jones Harbour urged Internet companies to deploy SSL to keep users secure.

"Security needs to be a default in the cloud," she said in a speech at an FTC workshop last year. "Today, I challenge all of the companies that are not yet using SSL by default--that includes all email providers, all social networking sites, and any website that transmits consumer data--step up and protect consumers."

Google meanwhile has been working to minimize the possibility that its technical changes to Chrome might break some websites. It tested its SSL False Start system against its list of known Web sites using HTTPS, which happens to be a pretty extensive list given the company's considerable experience indexing Web sites. Only 0.4% of HTTPS sites couldn't handle SSL False Start. After winnowing that list down further, Google reached out to SSL vendors offering incompatible software and the company now has has what Belshe calls "a manageable, small list of domains where SSL FalseStart doesn't work."

When visiting sites on that list, Google Chrome doesn't use SSL False Start, so as not to break anything. Belshe says Google expects this list will get smaller over time.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll