Today, Amazon is announcing they are using s2n to handle all the secure traffic in and out of S3. Congratulations to AWS!
What is s2n?
First, what is secure traffic?
To secure web traffic we rely on secure protocols such as SSL/TLS. Technically, we rely on TLS connections but SSL (Secure Socket Layer) has became synonymous with TLS (Transport Layer Security). SSL is outdated and has been proven to be insecure so we currently use TLS 1.2 which is much safer. (TLS 1.3 is currently being proposed as a replacement.)
OpenSSL
To handle the secure traffic, we use software libraries to handle the interaction. The majority of companies use an open source package called OpenSSL. It has been around for many decades. Several years ago, a major flaw was found in OpenSSL which lead to the “HeartBleed” vulnerability affecting most of the internet.
Since then, investment was made in supporting the OpenSSL package to help keep it secure. The problem with OpenSSL is the code base is very large with over 500,000 lines of code written over many decades and attempts to implement the entire SSL/TLS specification. Unfortunately, this opens up OpenSSL to a very large attack surface.
s2n
Amazon looked at this problem with OpenSSL and realized that if they had a smaller library that only implemented the latest versions of TLS, while handling the most common needed functionality required to run a cloud environment, then this would help strengthen the secure traffic running through all their services.
Out of this realization, s2n was born. s2n is a TLS library that implements the most common functionality required for handling secure traffic, and is written in only 6000 lines of code. This library has a modern approach to code development and has tests throughout it’s small amount of code. This not only provides a smaller attack surface, it can be easily audited by security experts, making it more robust than OpenSSL.
S3 now runs on s2n
It obviously takes time to roll out a change like this, especially with infrastructure as large as Amazon Web Services. So it’s great to hear that S3 is now using s2n for all of their secure traffic.
Why is this important?
This is a very important milestone for Amazon as it helps to prove their implementation of the s2n library is doing well in the largest cloud infrastructure in the world.
It’s important to us, as developers, as we build applications that are secure. We can use these libraries and reduce the attack surface by removing the usage of OpenSSL where we can. I excited to see where this will go and how quickly the industry adopts s2n over OpenSSL.
I thank everyone involved with OpenSSL for providing such a core library for all these years. I think it’s done a fantastic job securing the internet, but as with all things, we have to give way to the new.
Hopefully, as time moves forward, Amazons implementation of TLS is proven to be incredibly secure.
- awslabs/s2n on GitHub
- s2n Is Now Handling 100 Percent of SSL Traffic for Amazon S3 – original post