We all appreciate fast and secure systems, but increased security does not necessarily improve performance continuously. One prominent example is multi-factor authentication. This extra step is protecting users from password-related attacks, but at the same time, it creates more friction and increases the duration of the login procedure.

Tradeoff security vs user experience

The paper "Why Johnny can't encrypt" outlines that cryptography fails because of user-related errors. Poor user experience or unclear processes can have a detrimental effect on security. One prominent example is the handling of crypto wallets or keys. Users have lost billions worldwide due to such user-related errors or flaws in the user interface.

We also know that customers rate functionality over performance and security. The majority of our end-users will avoid complex security configurations because ease of use is more critical than data privacy.

Better security & better performance

Modern security approaches should always support the mission. In the past, enterprises built security policies for everything, and from development through operations, the entire team was suffering. Luckily, these times come to an end. This compliance-driven security approach hinders time to market and fails to address real cybersecurity threats.

TLS 1.3 Single Round-Trip

One example of these outstanding improvements is the adoption of TLS 1.3 (Transport Layer Security). In TLS 1.2, the client sends data to the server, waits for a response, and then sends more data, waiting for the server's response before sending encrypted messages. As you can see, we have two full round-trip times, which may not sound significant, but if your server is located on the other side of the world, this adds up to 300 milliseconds or more for each TLS handshake. Popular services handle thousands of TLS sessions per second. To improve security and speed, TLS 1.3 utilizes a single handshake, saving hundreds of milliseconds per TLS handshake.

TLS 1.3 and Session resumption

Another trick, called session resumption, can further speed up TLS handshakes. By reusing the key from a previous session, the client can send encrypted data immediately. This brings excellent performance improvements for revisiting users, reduces certificate and key exchange-related overhead, and improves user experience by providing better response times.

Security should never slow down or complicate things. When you build systems with security and performance in mind from the early development stages, rather than adding them at the end, fast and secure applications are the natural outcome.

Happy Performance & Security Engineering!

#Security #TLS #Performance #Tuning

References

https://www.wiley.com/en-us/Applied+Cryptography%3A+Protocols%2C+Algorithms+and+Source+Code+in+C%2C+20th+Anniversary+Edition-p-9781119096726