Amazon CloudFront Turns on Perfect Forward Secrecy

Amazon Web Services announced that it has turned on Perfect Forward Secrecy and other SSL improvements for its CloudFront content delivery platform.

Add Amazon to the growing list of technology providers ensuring that its encryption capabilities exceed a minimum standard.

Yesterday, the company announced that its web content delivery platform Amazon CloudFront had turned on Perfect Forward Secrecy, in addition to a number of changes designed to improve the performance of its SSL connections, Amazon said.

Perfect Forward Secrecy ensures that private encryption keys are unique and that if someday a key is compromised, it cannot be used to decrypt a past session. As intelligence agencies scoop up private communication and Internet traffic, some of which may be encrypted, the use of Perfect Forward Secrecy keeps encrypted data safe long into the future.

Google, Dropbox, Facebook and Twitter have Perfect Forward Secrecy enabled on all their respective services, while Microsoft and Yahoo are among a host of others planning to have it turned on by the end of the year.

Jeff Barr, chief evangelist for Amazon Web Services said yesterday that the new SSL features are enabled automatically CloudFront users and work with the default CloudFront SSL certificates. Barr also announced new support for a set of advanced RSA-AES ciphers, and performance improvements through the implementation of Session Tickets and OCSP Stapling.

“Both of these features are built in to the SSL protocol and you don’t have to make any code or configuration changes in order to use them,” Barr said. “In other words, you (and your users) are already benefitting from these improvements.”

SSL Session Tickets cut out some of the latency introduced during the SSL handshake, Amazon said.

“After the negotiation is complete, the SSL server creates an encrypted session ticket and returns it to the client. Later, the client can present this ticket to the server as an alternative to a full negotiation when resuming or restarting a connection,” Barr said. “The ticket reminds the server of what they have already agreed to as part of an earlier SSL handshake.”

OCSP Stapling, meanwhile, eliminates the need for clients such as browsers to consult with a Certificate Authority to ensure a certificate is valid.

“This approach moves the burden of domain name resolution (to locate the CA) and certificate validation over to CloudFront, where the results can be cached and then attached (stapled, hence the name) to one of the packets in the SSL handshake,” Barr said. “The clients no longer need to handle the domain name resolution or certificate validation and benefits from the work done on the server.”

Barr said the new features are free and in place today.

Rich Mogull, CEO of security consultancy Securosis, said the addition of these services not only makes transactions on the platform secure, but simpler for organization relying on the platform to deliver content.

“It’s a big deal in the sense that things that are complex for users to implement themselves now become a check box,” Mogull said. “AWS already had some of these (maybe all) for their Elastic Load Balancers as of a few months ago, and I’ve been recommending customers use them. It’s an example of how a cloud provider can enable better security, more easily, than going it alone.”

This article was updated at 6 p.m. with comments from Securosis.

Suggested articles