Lessons learned running SSL at scale

Lessons learned running SSL at scale

FOSDEM 2016

Several years ago, Facebook launched an internal initiative to integrate more encryption into its corporate infrastructure. The effort required advanced, yet highly responsive solutions in multiple areas, including vulnerability management, secure key distribution, and support for dated encryption in markets where modern encryption is still not viable. This technical talk will outline how Facebook has implemented some of these systems and provide recommendations for methodologies and open-source tools that could allow other organizations to put them into practice. It will also discuss how Facebook is addressing the challenge of serving SSL to millions of people in developing countries.

This talk will cover both technical and organisational topics. Main focuses include:

• Designing a software/infrastructure ecosystem that can quickly respond to SSL security issues/other changes
• Handling alerting and certificate monitoring, and where in your SSL stack to put such logic
• Being able to provide both utility and maximum possible security in developing countries
• Things to consider to avoid leaks with new developments in modern SSL infrastructure (for example, Certificate Transparency)
• Proactively monitoring potentially malicious new certificate issuances for your domains
• How we have implemented some of these systems at Facebook, with suggestions for open-source tools to help you do the same if you wish

Speakers: Chris Down