ApacheCon NA 2013

Portland, Oregon

February 26th – 28th, 2013

Register Now!

Wednesday 11:45 a.m.–12:30 p.m.

SSL: "Securing" the Web with Apache

Igor Galić

A Patchy Web
Audience level:


SSL is the standard way securing a connection and the data flowing across it on The Internet. The complexity of the protocol in APIs and configurations makes this security frail at best, an illusion at worst. In this talk we'll take a closer look at the protocol's failings and how to avoid them in particular implementations.


In recent years one SSL related "scandal" after the other has been affecting the foundation upon which we lay the security of The Internet: Certificate Authorities.

But even we don't out-source the management of trust to these companies, the SSL protocol is a complex beast. To implement it correctly is not easy. Even if an implementation is correct the complexity often leaks into a program's configuration: It requires administrators to have a deep understanding, or otherwise risk exposure of private data.

With this talk we'd like to impart exactly that knowledge:

In case studies of bad implementations we'll try to raise awareness of those.

With simple and complex configurations of different Apache products we'd like to teach how to correctly configure secure SSL connections in general.

Finally, we'd like to take a look at the performance impact of SSL, how to improve it by configuration and how future developments of the protocol will impact it.