Amazon flicks switch on CloudFront security features
Perfect Forward Secrecy added to SSL suite
Amazon has beefed up security on its CloudFront services, adding Perfect Forward Secrecy, OCSP stapling and session tickets to its SSL support.
The company describes the new AWS features in full in this blog post.
Session tickets are designed to improve performance, particularly in the case of an interrupted session between server and client. Instead of renegotiating the SSL session from scratch, the original negotiation ends with the server passing a session ticket to the client, which it can use to re-establish communications on the basis of the original handshake.
OCSP stapling is a technique allowing CloudFront to handle certificate status checking, instead of that burden falling on the browser. Users taking advantage of the feature will be able to let CloudFront handle both locating the relevant certificate authority via DNS, and checking certificate status.
The certificate status is then “stapled” to the SSL handshake, yielding benefits to both performance and convenience (and security, since users generally know very little about certificates anyhow).
As well as Perfect Forward Secrecy, the company also says it's added new RSA-AES cyphers to CloudFront. ®