Netflix will soon use the HTTPS protocol to authenticate and encrypt customer streams, a move that helps ensure what users watch stays secret. The move now leaves Amazon as one of the most noticeable no-shows to the Web encryption party.
Flipping on the HTTPS switch on Netflix's vast network of OpenConnect Appliances (OCAs) has been anything but effortless. That's because the demands of mass movie streaming can impose severe penalties when transport layer security (TLS) is enabled. Each Netflix OCA is a server-class computer with a 64-bit Xeon CPU running the FreeBSD operating system. Each box stores up to 120 terabytes of data and serves up to 40,000 simultaneous, long-lived connections, a load that requires as much as 40 gigabits per second of continuous bandwidth. Like Amazon, Netflix has long encrypted log-in pages and other sensitive parts of its website but has served movie streams over unsecured HTTP connections. Netflix took the unusual step of announcing the switch in a quarterly earnings letter that company officials sent shareholders Tuesday.
Netflix first experimented with TLS-protecting customer streams six months ago when it dedicated several servers to deliver only HTTPS traffic to a subclass of users and compared the results to similarly situated servers serving HTTP streams. The results weren't encouraging. There was as much as a 53-percent capacity hit. The penalty was the result of the additional computational requirements of the encryption itself and the lost ability to use certain Netflix streaming optimizations. The optimizations involve avoiding data copies to and from a server's user space, something that's not possible with HTTPS turned on.