Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday August 09 2016, @08:56AM   Printer-friendly
from the I-can't-see-what-you-did-there dept.

http://www.tomshardware.com/news/netflix-efficient-https-video-streams,32420.html

Netflix announced that it has implemented efficient HTTPS encryption for its video streams. To this point, the company has used only HTTPS to protect user information. Netflix has been reluctant to adopt HTTPS for its video streams so far because delivering video is already a bandwidth-heavy task, and adding encryption on top of that risked adding too much overhead. To solve this problem, the company searched for the ideal cipher and its fastest implementation.

Netflix eventually chose the the Advanced Encryption Standard (AES) cipher in Galois/Counter Mode (GCM), which is available only in TLS 1.2 and later. The company chose GCM over the Cipher Block Chaining (CBC) method because it can encrypt and authenticate the message simultaneously, whereas AES-CBC requires an additional pass over the data to generate keyed-hash message authentication code (HMAC). The latter can still be used as fallback for older browsers and client software that don't support TLS 1.2. However, it shouldn't be too long until virtually all Netflix users can play video streams over TLS 1.2 or later.

The company also tested which were the fastest implementations of AES-GCM in various TLS libraries such as OpenSSL, Google's BoringSSL, and Intel's Intelligent Storage Acceleration Library (ISA-L). The implementations had to work best with AES-NI, the instruction set for Intel and AMD processors that significantly accelerates encryption and decryption. [...] Netflix then tested the BoringSSL and ISA-L AES-GCM implementations and compared them with a baseline OpenSSL implementation. Both managed to increase the performance over the baseline OpenSSL implementation by 30%. Ultimately, Netflix chose the ISA-L library for slightly better performance than BoringSSL. The company is now optimistic that it can add HTTPS encryption to all of its streaming clients without suffering too much of a performance hit compared to the unencrypted versions.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Touché) by Anonymous Coward on Tuesday August 09 2016, @10:03AM

    by Anonymous Coward on Tuesday August 09 2016, @10:03AM (#385703)

    But what of network neutrality? Now those ISPs who are doing deep packet inspection for your convenience will have to resort to more technical trickery to ensure all your encrypted video is zero-rated to ensure neutrality for all. Think of the poor ISPs who will need to replace their deep packet inspectors. For a neutral network!

    Starting Score:    0  points
    Moderation   +2  
       Insightful=1, Touché=1, Total=2
    Extra 'Touché' Modifier   0  

    Total Score:   2  
  • (Score: 2) by NCommander on Tuesday August 09 2016, @11:53AM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday August 09 2016, @11:53AM (#385722) Homepage Journal

    By definition, they can't MITN SSL traffic if Netflix is doing it right. If they're doing key pinning, then unless ISPs can break RSA-2048, it would be impossible to MITN without detection.

    --
    Still always moving
    • (Score: -1, Flamebait) by Anonymous Coward on Tuesday August 09 2016, @12:44PM

      by Anonymous Coward on Tuesday August 09 2016, @12:44PM (#385738)

      Who said anything about nigger-in-the-middle? Deep packet inspection still works on SSL traffic. There's enough data in the SSL headers to choose to zero-rate some traffic and not other traffic. How is that a neutral nigger network?

    • (Score: 0) by Anonymous Coward on Tuesday August 09 2016, @02:01PM

      by Anonymous Coward on Tuesday August 09 2016, @02:01PM (#385753)

      I think the woosh was encrypted as well, since you didn't hear it.

      The poster you have politely refuted was indicating that this is going to cause a spying related inconvenience that is done ostensibly "for her pleasure" based on not asking her if it feels good, but because it sounds better when phrased that way to help alleviate concerns that capturing all content to profit from its analyzation and marketing it is somehow in the user's interest because the ads displayed mid-stream that otherwise were injected were also relevant based on previously spied upon internet use.

    • (Score: 2) by TheRaven on Wednesday August 10 2016, @09:49AM

      by TheRaven (270) on Wednesday August 10 2016, @09:49AM (#386196) Journal
      Big ISPs all have Netflix OpenConnect appliances in their own datacentres. They don't need to know what film you're watching, they can easily just throttle all of the traffic going to that box if they want to make their own streaming service look better.
      --
      sudo mod me up