Akamai Diversity
Home > September 2012

September 2012 Archives

Take a Byte out of CRIME

On September 21, 2012 at the 8th annual Ekoparty Security Conference in Buenos Aires, Argentina, security researchers Juliano Rizzon and Thai Duong released their latest SSL vulnerability and the accompanying attack tool. Called CRIME (Compression Ratio Info-leak Made Easy), their tool exploits a weakness in the compression algorithm used by encryption protocols SSL/TLS and SPDY.  Similar to the tool the pair released in 2011, BEAST, CRIME is a client-side attack and uses weaknesses in the compression technology to enable an attacker to compromise the encrypted data tunnel between the browser and the origin server. The initial use of the vulnerability has been to steal user application cookies, allowing the attacker to impersonate the end user.

While this vulnerability and tool have gotten much attention in the month leading up to the presentation, the attack is of limited usefulness in reality.  First, the attack requires that the attacker be able to serve malicious traffic to the user and intercept traffic from the user to the web server. Typically this requires being on the same network segment as the targeted system. Second, less than half of servers on the Internet that use SSL/TLS and SPDY have compression enabled. Third, of the major browsers in use, only Chrome and Firefox allowed the use of the compression with SSL/TLS and SPDY when the tool was announced. By the time the tool had been released, all major browsers had been patched and no longer allowed the use of compression with the encryption protocols.

Akamai has reviewed the vulnerability information and as verified that we do not support compression for SSL/TLS on our platform. We do have compression enabled for SPDY, and will be patching to correct the issue at the next available opportunity in the patching cycle. According to Ivan Ristic at Qualys, approximately 7% of browsers were vulnerable to the attack and only .8% of the pages on the Internet support SPDY, making this a low risk vulnerability.

Customers can check themselves with `openssl s_client -connect control.akamai.com:443 < /dev/null |grep Compr`, substituting the site of their choice for control.akamai.com.

For more information on this vulnerability, please read the following articles:
- https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
- http://www.imperialviolet.org/2012/09/21/crime.html
- http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html

Martin McKeay is a security evangelist at Akamai

It wasn't too long ago that going on the web meant you were sitting at a desk, with a computer sporting a fixed-line connection. For companies doing business online, there were distinctly fewer variables that impacted web site performance and the user experience.

Fast forward just a few years and the world has radically changed. Mainstream use of Wi-Fi, cellular, smartphones, tablets and connected devices such as TVs and game consoles have fundamentally changed the way we experience the web. Not only that, it's now exponentially more difficult for online brands to ensure their users have a great experience.

Is there a way to manage this increasing complexity and think differently about web performance? M.J. Johnson, one of Akamai's product marketing professionals certainly thinks so, and illustrates his view on situational performance in the below video.

To learn a bit more, check out this great conversation between Akamai's Mike Afergan and entrepreneur, strategy consultant and blogger Sramana Mitre.

Rob Morton is a senior public relations manager at Akamai

Web performance: Why one size doesn't fit all

When considering web performance, it's tempting to think that the user experience on any given site or application will be fairly consistent. The reality? Performance is impacted by different variables and ensuring that all users have the best possible experience requires hard work. For example, a desktop machine running IE 9 over a cable connection will offer a different user experience compared to a Macbook running Safari through public Wi-Fi, and both of those are different from an Android smartphone on 3G. Each has different connectivity characteristics and idiosyncrasies when it comes to rendering content.

It's not easy to ensure that your website performs well in the different situations I've described, and the typical end-user simply doesn't care about how hard it is to ensure stellar performance across the broad spectrum of web experiences. A user hitting your site from a smartphone expects the same great experience as if they were connecting from home or work. This is true despite the fact that each set of circumstances is radically different.

As pages get bigger, our performance expectations get higher
Pages are growing, and they're growing quickly. In the last two years the average web page has gone from about 700 to 1,100 kilobytes, all-in. This is a 57% increase in size.

And user expectations? They're going the other way. In 2006, we were OK with waiting 4 seconds for a page to load. By 2009 we got antsy at 3 seconds. Today we see that a 300 millisecond bump in page load time can lead to revenue impact.

Although we have seen massive growth in the richness of web content, data indicates that users expect pages to load faster than ever before.

The Simplicity Mantra at IBC

Online video was clearly "top of mind" at this year's IBC, and it was fascinating to hear from a variety of companies across the broadcast spectrum and learn more about their video delivery, monitoring, and monetization needs.

If I could put my finger on one major topic I heard over and over again at this year's IBC Conference, it's simplicity. Companies want simplicity across the board ­- whatever it takes to quickly get new video content out to viewers. That's what they wanted to talk about. From companies with large content libraries, to service providers who need to deliver it, the thought of serving all of the different devices viewers are using can seem overwhelming! They wanted to know how to prepare and secure the content for delivery to all of those devices, and they also wanted to understand how to access the end-device player technologies that bring it all together for viewers. On top of that, they want to simplify the authentication experience for viewers, while also removing the complexities of allowing content owner and service provider systems talk together in support of that simplification.

As I showed the demos of our new cloud-based Sola Vision transcoding, stream packaging, and identity services offerings, Akamai's own simplicity message resonated with visitors. They could see how simple preparing and delivering high quality online video can be with a simple, unified workflow that just happens to be built on top of the world's largest CDN.

Visitors to our exhibit at IBC could clearly see the difference between the CDN capabilities we offer, and the value-added video simplification tools we now provide. And they showed real enthusiasm for the simplicity and performance that Sola Media Solutions offers them.

I'm looking forward to continuing the many conversations that we started at IBC in the months to come.

Kurt Michel is a director of product marketing at Akamai

Akamai Security Takes Center Stage at Finovate

FF12_JoinUs_v1_high copy.png

We have all heard about banking web sites being attacked and taken down by hackers, and a few of us (myself included) have seen our banking sites temporarily wiped off the Internet by attacks.  But have you ever seen an actual DDoS attack launched against a bank's web site?  Well here is your chance.

Next week, Akamai will be demoing its Kona Site Defender web security solutions at the Finovate conference in New York. I have been attending Finovate events for years. It's an exciting and fast-paced conference, showcasing the best innovations in financial services and banking technology from a mixture start-ups and established companies.

For our demo we have created the Bank of Akamai web site. We will show two versions of the site: one protected by Kona, and one unprotected.  We'll then launch a live DDoS attack against both sites and demonstrate how Kona automatically protects a banking web site with no intervention by the customer.

bank of akamai screengrab.png

Our demo is at 2:45 PM on the afternoon of Wednesday, Sept. 12.  If you or anyone from your company is attending Finovate be sure to catch the demo, and please stop by our booth afterwards.  I look forward to seeing you there!

Rich Bolstridge is chief strategist, financial services at Akamai

The Sun Rises on Sola Media Solutions

Just in time for the International Broadcasting Convention (IBC), Akamai earlier today introduced Sola Media Solutions. A comprehensive set of cloud based, integrated services, Sola Media is designed to meet the increasing audience demand for content that is available when and where viewers want it, on a wide variety of devices, and with the highest quality possible.

Put simply, Sola Media is all about giving our customers an easy and effective way to address the core challenges of providing an engaging audience experience. We can help them adapt and protect content and ensure that content is connected in the larger video ecosystem with Sola Vision. We allow our customers to store and deliver content with Sola Sphere. And we give them the tools to better understand the user experience with Sola Media Analytics.

If you're going to be at IBC in Amsterdam, stop in at Stand 7.K36 and ask to see Sola Media Solutions in action - especially the brand new cloud-based transcoding and stream packaging capabilities. Or, watch the below video. Our director of product marketing for Sola Media Solutions discusses why we believe Sola Media is a great way for content providers to engage audiences with superior quality video, solve the challenges of multi-device consumption, and increase video monetization. At the end, there is an opportunity to schedule a meeting or demo if you'd like more information.

Rob Morton is a senior manager for public relations at Akamai