Part 4 - TLS, Performance, More JS, and Progressive Web Apps Flashcards
4th part of the course, Optimizing, new techniques, and a lil bit of security
What is TLS?
Transport Layer Security
- Transport Layer: works on top of TCP/UDP
- Fully integrated with QUIC
- TLS is primarily used to secure data during transmission
What is HTTP inside of TLS is called?
HTTPS
How does TLS ensure identity?
With TLS I can ensure the server I’m connected to is the server I meant to connect to.
This is done with certificates.
A certificate works like an ID card.
The server sends a certificate with its domain name (called a “Common Name”) and a big number called a public key.
The certificate also includes other details, such as who made it, for example, “Bank Inc.”
What does the certificate that the server sends (in TLS) have that is so crucial?
cryptographic signature
What are signed certificates?
The certificate’s signature is unique to that certificate.
If you change the public key or the domain name, the signature won’t match anymore.
The certificate’s signature also comes from a specific entity that made that signature.
It tells us who signed it, and only they could have produced that signature.
No one else can pretend to have signed the certificate, or the signature won’t match.
Explain how Cryptographic Signatures work
I make a private key and a public key as a part of a cryptographic signature algorithm.
I keep my private key secret, known only to me.
I give away my public key to the whole world so everyone knows it’s my public key.
I make signatures by combining my private key and some other information I want to sign. In this case its the banks domain name and the bank’s different public key.
You can check my signature by using my public key (which I already gave you) and combining it with the signature and information that’s been signed to check it.
What is Certificate Authority?
In an example with a bank,
A certificate authority uses their private key to sign the bank’s certificate.
The bank sends their certificate to you so you can check it.
You have the CA’s public key.
You combine it with the banks certificate.
I.E the person that uses their private key to sign the certificate
What is the TLS handshake?
TCP Handshake
Client sends TLS “hello”
Server sends TLS “hello”
Client verifies server certificate
Client and server agree on an encryption key
Client sends encrypted “ready”
Server sends encrypted “ready”
What are Cipher Suites
Client and server agree on crypto algorithm to use during handshake
Many different crypto algorithms are available
So then generally, how do we avoid security problems?
TLS everything
Make sure all traffic to/from your web app is running over TLS
Example: it may not help if only login is over TLS because an attacker can replace your TLS-encrypted login page with an unencrypted one by replacing the link on the unencrypted main site
How do we avoid TLS security problems?
Keep software up to date
No Windows XP
Don’t communicate with out-of-date software
Example: if something on your site is meant to be secret, even one bad client can leak the secret!
How is performance measured in web development
It is a non-functional requirement
measured as:
- Concurrency (# of requests or users at once)
- Latency (ms)
- Volume (requests/second)
- Bandwidth (bytes/second)
- Utilization (percent)
What are the things we have to do before we optimize?
Make sure you have a performance problem.
Measure all of our performance metrics
record these #s
compare performance after changes
run tests
What are the techniques of optimization?
Caching
Reduce # of round trips
Reduce download size
Asynchronous communication
How does Caching affect performance?
Caching increases locality
Content/data is closer to where it is needed
Locality increases available bandwidth
Locality decreases latency
What are the levels we can cache?
CPU
Memory (RAM)
Disk
Network
What are the levels of HTTP caching?
Browser cache (memory/disk)
Near reverse proxy cache server or CDN (Network)
Far reverse proxy cache server (Network, but higher latency and lower bandwidth)
Original server
Browser Caching
Fastest
Force-refresh with control-shift-R
Browser manages balance between RAM and disk
Private windows typically won’t use disk at all
What is the difference between tracking state and caching
Server tracking state and changing its response depending on state prevents effective caching
Authentication is a kind of state
→ Authentication prevents caching
Limit stateful and authenticated server content
Separate out content that needs to be stateful/authenticated from content that can be public and shared!
What should you avoid for static content?
Cookies and Auth