
The First Few Milliseconds of an HTTPS Connection (2009) - dhotson
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
======
stingraycharles
In addition to this, with SPDY around, these first milliseconds are becoming
even more important. Since SPDY requires some sort of negotiation between
server and client to agree they both support the protocol, this creates a
problem for the first request: how do you know a server supports SPDY without
having seen a response from said server? Note that the regular HTTP Accept
negotiation is not enough since the browser should already pipeline multiple
requests before having seen a response.

Since the designers of SPDY also figured security is important, they made use
of TLS' protocol negotiation feature: they actually announce themselves as a
TLS protocol in these first milliseconds of a HTTPS connection. Brilliant.

For more information, see: [http://www.chromium.org/spdy/spdy-protocol/spdy-
protocol-dra...](http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-
draft2#TOC-Server-Advertisement-of-SPDY-through-TLS-NPN-extension)

~~~
driax
SPDY requires that you run it inside TLS. Within the already existing TLS
handshake the client and server can advertise that they support SPDY instead
of HTTP.

The way you describe it comes of as more complicated?!

Of the things to note is that nothing of SPDY describes encryption, which is
why a lot of people have thought about using it without TLS via some other
negotiation strategy (but nobody have really implemented this, since the value
is only minor/non-existent outside internal networks).

~~~
stingraycharles
How does what I describe differ from SPDY using a TLS handshake as advertising
SPDY support? In any case, it was my intention to explain exactly that.

------
flixic
Such a great article, true Hacker News material. Does not assume much
knowledge about the field, yet still allows for a much deeper understanding of
mechanics involved.

~~~
triplesec
Agreed. Brilliant, and as someone who has been looking for accessible (for
numerates) ways of learning about these such things I can't thank the poster
enough.

------
stalled
Previous discussion (2009):
[https://news.ycombinator.com/item?id=650914](https://news.ycombinator.com/item?id=650914)

~~~
dhotson
Yep, sorry for the repost.

I figured that enough time had passed since the last time since it's such an
excellent article. ;-)

~~~
dencold
Please don't apologize! I don't know how many times I've googled for this type
of thing, only to end up with a handful of stack overflow articles that don't
even scratch the surface. This is one of the best reads I've seen on HN in a
long time. Thank you!!

------
gatestone
This reminds me of an old project. Explain all the bits that are communicated
and computed across all APIs involved, when a user presses a key, and a set of
pixels appear on the screen spelling "a".

~~~
notacoward
About twenty years ago, I was able to do something pretty much like this for
typing "cat file" \- e.g. syscall interface, tty drivers, network protocols,
filesystems, SCSI plus pervasive things like schedulers and memory managers. I
can't do that any more, though, because I've become more of a storage
specialist and some of the parts I haven't kept with have changed immensely.
Also, some of the implementations of those parts in Linux are frankly insane
and I no longer enjoy panning through a ton of dirt for a few flecks of gold.

~~~
hyperpape
I wouldn't mind seeing that, even for a 20 year old system.

~~~
eksith
Ditto. I'd still love to see whatever tidbits are available if only for
historic reasons, which in itself is quite valuable. Might be also fun to see
a before and after if someone else does an up to date version too.

------
chime
Does this mean in SSL, the host name is not plain-text but in TLS it is?

To me, it seems better to use a possible-to-crack SSL with hidden hostname vs.
hard/impossible to crack TLS where anyone can see I'm trying to go to
[https://anonymous-upload.wikileaks.org](https://anonymous-
upload.wikileaks.org).

~~~
lucian1900
They can see that anyway if they intercept the traffic anyway, since the IP
will be in all packets. Even better, the TCP connection will end up creating
routing tables on all hops along the way.

~~~
masomenos
Unless there are multiple secured domains hosted on that IP address, in which
case knowing the domain would be extra information.

~~~
richardwhiuk
You can't have multiple secure domains on a single host which don't require
the user to know a non-standard port without exposing the domain in plain text
as part of SNI.

~~~
RKearney
You can if you have a certificate with multiple domain names in the SAN[0]
field.

[0]
[http://en.wikipedia.org/wiki/SubjectAltName](http://en.wikipedia.org/wiki/SubjectAltName)

------
windsurfer
Why is this so complicated?

~~~
ihsw
Because good security is _hard_.

------
macca321
Jeff Moser's blog is awesome.

~~~
wkdown
"was". He hasn't posted since Nov 2011

------
antonpug
Nice analysis. But why is this trending now? This is from 2009.

~~~
prawn
Discovered or rediscovered by someone, and seemingly new to some on here or
still appreciated by enough others to upvote.

FWIW, it was the first time I'd seen it. Very comprehensive.

------
RcouF1uZ4gsC
Great article.

------
ehosca
excellent. thanks for posting.

