This article is more than 1 year old

Facebook cracks opens its bottle of Fizz – a carbonated TLS 1.3 lib

Crypto-code unleashed to inflict security, performance and stability on devs

Looking for a TLS 1.3 library? Facebook has you covered. On Monday, the ads and data peddler plans to release Fizz, a TLS 1.3 library written in C++14, as an open source project.

TLS 1.3 is the latest and greatest version of the Transport Layer Security protocol, the successor to Secure Sockets Layer or SSL, which encrypts network communication between clients and servers. Finalized as a specification in March, it features stronger security and more efficient networking than previous iterations.

The protocol is still working its way into the wild. Eric Rescorla, a Mozilla Fellow and editor of the TLS and HTTPS specifications, said in an email to The Register that a lot of work has already been done to make TLS 1.3 as easy to deploy as possible.

"It's a drop-in replacement for TLS 1.2, uses the same keys and certificates, and clients and servers can automatically negotiate TLS 1.3 when they both support it," he said. "There's pretty good library support already, and Chrome and Firefox both have TLS 1.3 on by default."

It's beer o clock for sysadmins. Photo by SHutterstock

World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved

READ MORE

That said, the rollout has had some rough spots.

"Earlier draft versions did have some deployment challenges: a lot of middleboxes turned out to be broken in a way that caused failures with TLS 1.3," he said. "We made some modifications to the protocol in response and aren't seeing significant problems with the new version."

Facebook in a draft blog post, provided to The Register, describes Fizz as "performant," and points to several features, including stronger security, that may make it more appealing to developers than alternatives like Google's BoringSSL or OpenSSL.

The company claims more that 50 per cent of its internet traffic is now secured by TLS 1.3, with Fizz handling millions of handshakes a second.

"Fizz has reduced not only the latency but also the CPU utilization of services that perform trillions of requests a day," said Facebook software engineers Kyle Nekritz, Subodh Iyengar, Alex Guzman.

According to the trio, Facebook's load balancer synthetic benchmarks exhibit roughly 10 per cent better throughput with Fizz than with the company's previous stack.

Chunky

Fizz, we're told, handles memory in a more efficient manner than other TLS libraries, which require contiguous memory space. Because apps tend to store data in discontiguous chunks, copying back and forth involves some extra latency as the data gets split and reassembled.

Fizz, by contrast, supports vectored I/O, also known as scatter/gather I/O, which lets it send and receive chunked data using fewer memory allocations and copy operations. These zero-copy write operations help make it "performant."

So too does the code's native support for asynchronous server operations and for handing off TLS key signing to a separate service via API, which can help keep keys secure.

The library also includes support for sending data as soon as the TCP connection is established. Early data transmission reduces request latency, though it raises the risk of a replay attack. Facebook defends against this by limiting early sends to whitelisted data and deploying a cache with its load balancers to detect reply attempts.

There's some extra security baked in too. Fizz has been designed in a way that its state is defined explicitly in a single location, as a way to avoid attacks that attempt to change the code's state, such as the CCS Injection Vulnerability identified in OpenSSL. And it implements an abstraction layer to avoid incorrect state transitions.

"If a state handler uses an incorrect state transition that is not defined in the explicit state machine, the code will fail to compile," explain Nekritz, Iyengar and Guzman. "This helps us catch bugs during compile time rather than at runtime, thereby preventing mistakes."

TLS 1.3 hasn't been officially published, though RFC 8446, which is how the spec will be known once it becomes an official internet standard, is expected to be published soon. ®

More about

TIP US OFF

Send us news


Other stories you might like