Update Nginx For Better HTTPS Performance

I decided to try out this suggestion from Optimizing NGINX TLS Time To First Byte (TTTFB) ( which I mentioned at the end of 2013 ):

After digging through the nginx source code, one stumbles onto this gem. Turns out, any nginx version prior to 1.5.6 has this issue: certificates over 4KB in size incur an extra roundtrip, turning a two roundtrip handshake into a three roundtrip affair – yikes. Worse, in this particular case we trigger another unfortunate edge case in Windows TCP stack: the client ACKs the first few packets from the server, but then waits ~200ms before it triggers a delayed ACK for the last segment. In total, that results in extra 580ms of latency that we did not expect.

I’ve been using Nginx 1.4.x from the Ubuntu package collection on this site. A few webpagetest.org runs showed that HTTPS negotiation was taking more than 300ms on the initial request. After updating to Nginx 1.5.13 more tests showed HTTPS negotiation was down around 250ms.

The 50ms savings isn’t nearly as dramatic as the worst case scenario described in the quote above, but I’ll take it.

Awkward Moment For Google And Feedly

The Google Cloud Platform blog recently had a rather awkward moment posting about the success of Feedly, emphasis is mine:

In the middle of last year, our servers were overwhelmed with hundreds of thousands of new signups, and we experienced our first service outage. The first thing we did was move all of our static content to App Engine. Within an hour we were up and running again with 10 times the capacity we had before. This turned out to be a good thing – we added millions more users over the next few months and more than doubled in size.

I seem to recall Google telling millions of users to pack up their stuff and leave around the middle of last year. Feels strange to see Google excited to brag about their ability to send millions of users to a competitor. At least they used to be competitors, before Google decided to get out of the reader space.

I Have Done It Longer Because I Have Not Had Time To Make It Shorter

This is a quote I usually see attributed to Mark Twain:

If I had more time, I would have written a shorter letter.

The quoteinvestigator.com research on that indicates that Twain “did not use it according to the best available research”.

The earliest use of this phrase from is Blaise Pascal in 1657 ( yes, that Pascal ), originally in French as part of “Lettres Provinciales”:

Je n’ai fait celle-ci plus longue que parce que je n’ai pas eu le loisir de la faire plus courte.

Google Translate offers up this English version:

I have done it longer because I have not had time to make it shorter.

That applies to many things that benefit from refinement over time, including programming.

UPHPU April 2014


HTML5 Security Cheatsheet

A list of web related security issues is being collected at html5sec.org, with a GitHub repo to send in updates.

There are so many ways that bad things can happen in a web environment that sharing details in an open and public way like this is really important.

Successful Web App Requirements

Thomas Fuchs answers the question, what do you need to make a successful web app?. The most important part of the answer may be the things that you don’t need.

Read Access on Google Servers with XXE

Detectify explains how they gained read access to production servers at Google:

One system caught our eyes. The Google Toolbar button gallery. We looked at each other and jokingly said “this looks vuln!”, not knowing how right we were.


They were able to leverage XML External Entity ( XXE ) processing to read local files on Google’s production servers. If you haven’t read up on XXE go watch Mike Adams talk at WordCamp SF 2013, the video is only 30 minutes.

Be very careful when processing XML, it can come back to bite you in very bad ways.


Flysystem for PHP:

Flysystem is a filesystem abstraction which allows you to easily swap out a local filesystem for a remote one.

A common API for accessing files stored locally, on S3, FTP, SFTP, Dropbox, Rackspace, Zip, and WebDAV. Abstraction layers usually impose a performance penalty, I wonder how big that is in this case. Even with a performance penalty a shared API may be preferred for some situations.

Heartbleed Explanation on xkcd

Excellent explanation of the heartbleed bug on xkcd.

Network Link Conditioner

Matt Thompson outlines how to install the Network Link Conditioner on Mac OS X.


The Network Link Conditioner allows you to tweak settings to simulate various network conditions. This is a must have tool if you want to see what your mobile app experience is like under less than ideal network conditions.

« Older posts

© 2014 Joseph Scott

Theme by Anders NorenUp ↑