Amazon CloudFront Adds Support for Advanced SSL Features

Posted on: Aug 20, 2014

We have made several enhancements to Amazon CloudFront to further improve the security and performance of your content delivery over HTTPS.

High security ciphers improve the security of HTTPS connections. Amazon CloudFront edge servers and clients (e.g. browsers) automatically agree on a cipher as part of the SSL handshake process, and now the connections can use ciphers with advanced features such as Elliptic Curve signatures and key exchanges.

Perfect Forward Secrecy provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.

OCSP Stapling improves the time taken for individual SSL handshakes by moving the Online Certificate Status Protocol (OSCP) check, a call used to obtain the revocation status of an SSL certificate, from the client to a periodic, secure check by the Amazon CloudFront servers. With OCSP Stapling the client no longer needs to handle certificate validation, which improves performance.

Session Tickets help speed up the time spent restarting or resuming an SSL session. Amazon CloudFront encrypts SSL session information and stores it in a ticket that the client can use to resume a secure connection instead of repeating the SSL handshake process.

There is no additional charge for these new features, and they are automatically enabled when you serve content with Amazon CloudFront over HTTPS. To learn more about how these new SSL features work, visit the Amazon Web Services Blog. To learn more about delivering HTTPS content with Amazon CloudFront visit the Amazon CloudFront SSL page.