Over the last year, Netflix has been transitioning from HTTP to HTTPS for its customers' streams. The process hasn't been simple. The company indicates that the computational costs to its serving platform from this move have been significant. To reduce the operational costs of encrypting all streams, Netflix has exploring new ways of optimizing Transport Layer Security (TLS) bulk encryption. In a recent paper, Netflix's engineers explain what they've been able to accomplish.
First, the engineers considered different options for Netflix's cipher. They opted for the AES-GCM cipher over the more common Cipher Block Chaining, deciding that GCM provided adequate protection while requiring less processsing and computation. Second, Netflix considered a number of options for implementing the cipher, eventually settling on a modified version of the Intel Intelligent Storage Acceleration Library (ISA-L). With some additional improvements to the data path, Netflix reports that it was able to improve overall performance as much as 30%.
The report suggests a few possibilities that Netflix's engineers are still considering. The company wonders whether a dedicated auxiliary card could handle the encryption instructions more efficiently than its servers' CPUs, and it's also looking into the cache-control features of Intel's CPUs for ways of limiting the amount of data put into last-layer caches during the encryption process. Still, Netflix is happy enough with its results that it expects to have TLS encryption for the majority of its customers' streams by the end of this year.