What is SSL and CDN? How CDNs Improve SSL / TLS Performance?

What is SSL/TLS?

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are cryptographic protocols for secure communication on a computer network.

SSL/TLS are used on the internet to encrypt the data exchanged between a user’s browser and the web server, enabling sensitive data to remain secure and private (usernames, passwords, credit card numbers, and other personal information, maintaining both confidentiality and integrity while the information is sent.

SSL is considered older technology than TLS, but TLS is considered the standard; it has better security than SSL and is still in use. SSL and TLS have commonly been used interchangeably, although they are two distinct technologies.

Read Also: TLS 1.3: Everything you Need to Know

Most web pages are secured by TLS, but SSL/TLS can describe the same function. SSL/TLS, as a set of capabilities, helps to establish trust and protect a user from threats such as data interception, data alteration, and impersonation.

What is CDN?

A Content Delivery Network (CDN) is a collection of distributed servers in multiple locations across the globe.

The purpose of a CDN is to serve web content and resources, like HTML pages, images, videos, stylesheets, and JavaScript files, back to a user based on the physical distance they are from the nearest edge server.

A CDN takes all of this content and caches it (closer to the user), distributes it (closer to the user), which decreases latency, improves download speeds, and reduces bandwidth and server load, making the quality of the web experience faster and overall better.

CDNs are very useful to provide availability and redundancy; they can be critical for global websites that may have a large number of users visiting them.

In addition to the benefits of improvement in website performance, CDNs are now responsible for an added level of security and can often provide prevention mechanisms from DDOS attacks, Web Application Firewalls (WAF), and secure SSL/TLS delivery.

How CDNs Improve SSL/TLS Encryption Performance?

While SSL/TLS encryption fully improves the security of the web, there are trade-offs in terms of performance.

The secure connection uses a handshake process to establish a connection that introduces latency.

CDNs help fix these issues and improve the performance of SSL/TLS in a few ways:

Reduced Latency with Edge Servers

SSL/TLS handshakes require a round-trip between the client and server. For users that are much further from the origin server, the number of round-trip trips can cause noticeable latency. CDNs have SSL-enabled edge servers configured, very close to the end-user.

When users make a secure connection, both the handshake and content are transferred by the nearest edge server. This drastically reduces latency and improves load times.

For example, a user in Tokyo is accessing a website hosted in New York. Without a CDN, the user will experience many delays due to the physical distance.

With CDN, the user has an SSL/TLS handshake with the Tokyo edge server, and the content is also sent back by a Tokyo edge server. Overall, it will be a great experience.

SSL Session Reuse and Session Resumption

To mitigate the computational burden of completing the entire SSL/TLS handshake process, CDNs typically make use of SSL session reuse or session resumption.

This way, clients and servers can continue encrypted sessions without renegotiating all of the parameters. This is especially advantageous for repeat visitors or users who access multiple secure assets from the same domain.

As an intermediary for users and servers, CDNs cache session information and manage TLS handshakes intelligently across millions of requests, providing benefits with respect to performance and CPU utilization on both the client-side and server-side.

TLS False Start and 0-RTT Resumption

Modern CDNs are aware of, and deploy, many performance-based features related to SSL/TLS, e.g., TLS False Start and 0-RTT (Zero Round Trip Time) Resumption.

TLS False Start allows the sending of data before finishing the handshake, and removes milliseconds from each connection. 0-RTT Resumption (which is available in TLS 1.3), allows clients to immediately send encrypted data using parameters from a previous session.

0-RTT does present some security risks to applications (such as replay attacks), but usually CDNs implement it with additional security mechanisms that provide speed with some measure of protection.

Simplified Certificate Management

CDNs will take the complexity of SSL certificate deployment and management out of your hands. With a CDN service, you have the option for automatic certificate provisioning through Certificate Authorities (CAs), as well as some advanced capabilities such as:

• OCSP Stapling – The CDN will respond to an OCSP request by providing the certificate revocation status, thus removing the necessity to call the CA and optimizing SSL handshake times.
• Server Name Indication (SNI) – CDNs allow the use of multiple SSL certificates on a single IP, thus improving scalability.
• Wildcard and SAN certificates – The need for Wildcard SSL certificates across a number of subdomains and multi-domain configurations can be reduced.

Support for HTTP/2 and HTTP/3

Older versions of protocols like HTTP/1.1 or older are less equipped to provide performance benefits than the newer HTTP/2 and HTTP/3.

When combined with SSL/TLS (which offers great performance benefits), HTTP/2 gains performance increases through multiplexing, while both HTTP/2 and HTTP/3 can reduce latency and use only one connection without head-of-line blocking (HTTP/2).

HTTP/3, built on top of QUIC, utilizes UDP to provide a faster and higher-performance connection that is also more reliable in mobile or lossy environments.

Most CDNs allow it to run HTTP/2 or HTTP/3 by default, so encrypted traffic flows using these methods, which provide speed for the CDN service.

Additionally, since HTTP/1.1, HTTP/2, and HTTP/3 can only run over encrypted channels (TLS/SSL), this allows these protocols to align even more with SSL/TLS to improve overall performance.

Role of SSL/TLS in CDN Security

CDNs not only optimize the use of SSL/TLS, but they also consider SSL/TLS as key components of their security layer. This is how:

Secure Content Delivery

The intended job for a CDN is to deliver a file over its global network of servers to a user. But the content we are delivering is often sensitive and/or proprietary information (static files such as images, videos, or scripts, or dynamic content such as API responses).

When we deliver this content without using SSL/TLS, we are delivering this content insecurely, which means anyone can intercept, change, or steal the in-flight information.

By using SSL/TLS, we are encrypting this sensitive data on the exit of the CDN edge server, securing any data we are transmitting over the network from eavesdropping.

In other words, even if a malicious actor intercepts that traffic, the data they obtained is not readable in any type of format, because they do not have the correct decryption key.

This method of resource delivery is important not only for user trust but also for legal reasons, especially for those businesses handling private user data.

Encryption also encompasses content integrity, so it is a record we can maintain that details the files we are protecting are intact in the delivery process to the user. This integrity is especially considered when developing a web application.

Mitigation of Man-in-the-Middle Attacks

Man-in-the-Middle (MITM) attacks are considered one of the most damaging and threatening compromises in data communications. It occurs when the communication between a client and server is intercepted by an unauthorized party.

This can be done to eavesdrop on the communication, steal credentials, or insert a payload or other malicious content.

Because CDNs span multiple geographical Distribution Points (edge servers), there are multiple endpoints for attackers to potentially intercept the communication between their client and the CDN edge server.

SSL/TLS helps to reduce this risk by creating an encrypted secure tunnel from the client (user) browser to the CDN edge server. The CDN will use digital certificates and PKI to validate its identity to the user’s browser.

If this is validated, both parties will negotiate a secure session key that is used to encrypt all subsequent communications.

Even if an attacker was able to intercept the raw data being transmitted, and even if they managed to somehow obtain the data, unless they can also obtain the private key to decrypt the data they would still be unable to read the content.

With mutual authentication by certificates, the CDN will provide all the validation and trust, and it is also possible for the client to validate the identity of the CDN in some situations such as internal applications and enterprise APIs.

Because of this level of identity validation, MITM risks are greatly reduced, especially when combined with HSTS (HTTP Strict Transport Security), which enforces the use of HTTPS communication only.

DDoS Protection and Bot Mitigation

Distributed Denial of Service (DDoS) attacks are an overwhelming amount of traffic directed at a target network or service that leaves the target unusable. Bots can perform similar actions, scraping sensitive data, brute force login attempts, and other malicious tasks.

With the assistance of CDN infrastructure, SSL/TLS can be useful in identifying and preventing DDoS and bot issues, even with encrypted traffic.

Read Also: Brute Force Attack Explained: Types, Examples, Tools, Prevention

Modern CDNs can perform SSL termination at their edge, decrypting traffic before it hits the target user’s environment.

After decrypting the incoming request traffic, the CDN user can inspect the request content and apply various security options, such as Web Application Firewall (WAF) policies, limiting repetitive traffic/repeated requests (rate limiting), and analyzing traffic behavior.

Upon identifying suspicious or malicious requests, those traffic requests can be blocked before they ever get to the origin server destination, and the significant amount of traffic the target server would experience can be mitigated, and the backend infrastructure protected.

Once request traffic has been inspected, it can also simply be discarded, or still securely forwarded to the origin server if not considered harmful.

When you inspect the malicious and penetrating DDoS and bot traffic at multiple layers, you can offer the right level of security that works for encrypted data without it being a blind spot for your network, and without legitimate users being required to experience subpar service levels.

Bot mitigation solutions will also make use of SSL inspection to track and identify how automation or bot-like behavior occurred across this potentially encrypted traffic while protecting your APIs and login portals to avoid unnecessary abuse.

Secure API Gateways and Edge Functions

Web applications depend on APIs to power user experiences, mobile applications, or real-time interactions, and APIs send sensitive data, including user credentials, session tokens, and transaction information.

Today, CDNs are now commonly used as secure API gateways intercepting, authenticating, and routing API requests before they connect to the backend application servers.

SSL/TLS keeps this communication private and makes sure nothing is changed in transit. SSL/TLS encrypts the data the client sends to the CDN’s API endpoint, so TLS maintains the confidentiality of data passed in the entirety of the exchange.

Beyond this, some CDNs have what they call “edge functions”, which is just a name for lightweight serverless code that runs on edge nodes.

They can run authorization, token validation, logging, or sanitization, all at the edge of the network and under the protection of an active SSL/TLS session.

When CDNs use SSL/TLS in confidence with edge computing, they can make access control decisions before the request hits the origin server, providing both performance and security.

This is notable in regulated industries (like finance, health, or education) where misuse of its APIs can create compliance issues and data breaches.

Certificate Transparency and Reporting

SSL/TLS is more than entropic encryption; it includes certificate management, which is necessary to ensure that only trusted parties are involved in secure communications.

The latest CDN providers all employ certificate transparency logs, which are a public record of every SSL Certificate that has been issued by any of the Certificate Authorities (CAs). They help expose fraudulent certificates and prevent fraudulent certificate issuance.

For example, if a malicious user were attempting to obtain a certificate for your domain through an illicit CA or a compromised CA, certificate transparency would expose this and allow the erroneous certificate to be corrected before any damage is done.

In regards to certificates, CDNs also provide a great deal of ease with certificate renewal, deployment, and revocation, and usually effect that change via APIs and integrations with services such as Let’s Encrypt without any action on behalf of the customer.

In addition to the monitoring aspects of online security, CDNs also facilitate certificate visibility into the life cycle of the certificate, including notifications for expiring certificates, usage statistics, and analytics regarding their security posture, including vulnerability alerts. This sort of proactive management is paramount to keeping sites secure and trusted.

The importance of the type of documentation is critical, especially for organizations that maintain multiple domains or microservices, and where even a subset of certificate management responsibilities is likely impractical.

Conclusion

Certera offers robust SSL/TLS encryption through trusted certificates and seamless CDN services powered by SiteLock. Whether you’re looking to secure your website or boost its performance, we’ve got you covered. Come to us today and take the first step toward a faster, safer, and more reliable online presence.