back to article Amazon flicks switch on CloudFront security features

Amazon has beefed up security on its CloudFront services, adding Perfect Forward Secrecy, OCSP stapling and session tickets to its SSL support. The company describes the new AWS features in full in this blog post. Session tickets are designed to improve performance, particularly in the case of an interrupted session between …

  1. mirobaka

    "The certificate status is then “stapled” to the SSL handshake, yielding benefits to both performance and convenience (and security, since users generally know very little about certificates anyhow)."

    Whoever wrote this appears to know very little about certificates either.

    OCSP stapling makes absolutely no difference to the user or security. All it does is allow the server to collect the OCSP response and present it to the client, rather than the end user's machine having to go collect it from the CA. It's a backend solution to the main problem with OCSP; the additional overhead of having every single client requesting the status of each certificate every single time anyone connects. Now a server can request a single response and then pass it on to every client.

    The only security advantage of OCSP stapling is that it makes OCSP more feasible in many cases, allowing for it to replace CRLs (which generally have a longer lifetime and therefore will take longer to propagate revoked certificates). It makes no difference to convenience (unless we are referring to the convenience of the client machine, which is an odd concept. I'd call that "performance").

    "users knowing very little about certificates" is irrelevant, as the process is completely invisible to the user.

  2. Anonymous Coward
    Anonymous Coward

    Good start..

    .. now all they have to do is stop being a US company.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like