Artem Gavrichenkov's report on TLS scaling
Today's article is devoted to a security report. This is the story of Artem ximaera Gavrichenkov “Scaling TLS”, which was presented at Highload ++ in November 2016:
Slides can be found here .
Disclaimer: about certificates and TLS, only a parsed speech, and not the article itself.
')
It is always nice to see how the speaker finds in some common thing the pitfalls that you, yes, yes, that's exactly you, can easily hurt. These are fertile topics, they usually come to cheers. At the same time, a person who is deeply involved in what ordinary people simply use, there is always something to shock the public.
The main part of the story (the one from which it is already possible to draw conclusions and extract recommendations) starts at around 9:40. It seems to me that by this time the viewer is still not quite clear what exactly the report is about, and this is a problem. The cover of the covers about who owns the certificate authorities and why they are still “trusted”, begins about the same about WoSign. After this, the plot no longer lets go, but I would suggest reducing the prologue.
In fact, at the beginning of the report, the latest history of encryption is outlined, the impact on Google’s ranking, Mozilla and Let's Encrypt statistics, vulnerabilities at the protocol level, as well as criticism of OpenSSL and GNU TLS are mentioned. The unifying idea is technological debt, and its main component is a lack of basic information from users, which it will tell you about ... It does not look quite logical: it rarely happens that educational activity is associated with the return of technological debt.
Bringing viewers to the topic of educational program could be different, in particular, after mentioning Google and caring for users, you can immediately move on to “let's say, for the first time you thought about implementing encryption, what tasks do you have to solve?”
Many of the elements of information mentioned in the introduction are miserable to lose, but they are naturally transferred to other sections. In particular, about Let's Encrypt, the growth in the number of those who use it and the crowdfunding campaign can be perfectly described at the end of the item “from whom to buy a certificate”.
Examples are one of those things that make this report interesting and simple enough to read. I want to note that here Artyom does everything perfectly, and urge readers to take from him, yes, an example.
Note that the stories are specific and contain details. Each mistake, as is known, has a first name, a surname and a middle name, and they are given whenever possible in the report. In October 2016, GlobalSign carried out technical work on the cross-cutting of root and intermediate certificates and accidentally withdrew all of its intermediate certificates - there are quite a few details here, which is good. Specific details, even if they are not fundamental for understanding the essence, make the narrative convincing. If the details do not take a lot of time, do not hesitate to include them in the story or not. Include unambiguously.
If the example is large-scale (in the case of GlobalSign, the problem has affected services such as Wikipedia, Dropbox, Spotify), this gives it weight.
The paradox of examples (when the first thought is WTF?) Makes the whole performance more memorable. In our case, the stories about WoSign and AES 128/256, perhaps, fit into this definition. The last story still fits perfectly on the stereotype that “the military is all stupid,” which, regardless of the real state of affairs, sits quite tightly in the heads of many of us.
It makes sense to comment on the sheets with notes that Artem holds in his hands. There were a couple of reviews from viewers who did not like it, but I think that everything is fine here. Many people just as well take notes in PowerPoint, Keynote, or whatever you have there . Someone is more comfortable paper carrier, some people still read paper books. The important thing is that the speaker should address the audience, and not his notes. Sticking in the prompter screen is no better than sticking in their pieces of paper, viewers notice it equally easily. Artyom looks at the hall almost all the time and speaks with the audience, so, in my opinion, printouts to the report do not harm.
I proceed from the belief that the slides are only accompanying material that helps to show what the audience needs to see, and also helps not to be lost in thought if the story is complex. Artem clearly follows (more on this below) an attempt to make the slides self-sufficient, i.e. such that you can view and get about the same information as visiting a live performance.
I can not recommend this approach. It increases the amount of text on the slides, while the text is similar to what the speaker says. Many viewers at the same time unwittingly spend a lot of energy to compare the text of the slides with the speech and understand how they coincide. In the case, as with us, English-speaking slides and Russian oral speech, the unjustified battery consumption in the viewer's head can be very high.
Consider a few examples of what can be reduced without serious consequences (the list is not exhaustive).
Slide 26:
In WoSign sins three shot. Perhaps some of them should be omitted to reduce the volume. In addition, I would have put a link to CA: WoSign_issues in the title of the slide. This is applicable not only here, but also on some other slides: if we have only one bullet of the first level, and below it a scattering of sub-points, then it is better to put this bullet in the heading.
Slide 33:
Pro banks accurately say voice.
By the way, slides 33-34 on the video are different from those published on the conference website. This is normal, but I want to draw attention to slide 34 from the video (appears at 18:05 ):
Here, in addition to banks, there are also two copies of “more on that later”, which are completely unnecessary on the slide.
Slide 59:
Here is the same problem with the duplication of the text on the slide, which should be left only in the voice.
In general, Artem's report is such that it is difficult to accompany him with graphic materials. There is no feeling that in some places on the slides are asked charts, diagrams and pictures. In such a situation, I would suggest focusing people's attention on the speaker’s speech, and shorten the text on the screen.
In conditions when the slides are mostly text and text is a lot, it is quite saved by the consistent display of elements on the slides and the maximum preservation of the story context unchanged. I am convinced that completing the existing picture with small steps saves the viewers power, makes perception easier. In this report, this technique is used frequently and successfully. For example, look at the introductory ten slides (first ~ 8 minutes). For further it is important to compare the second and tenth (if you opened the slides on the link, then go over the fact that between them):
First, the second and fifth slide are the same. That is, on the third and fourth speakers, he showed us the graphics that are important for the entourage, and then returns us exactly to the place from which to continue the story. Many speakers are afraid to exactly repeat the slide, which they have already shown once. So, just in case, I will say that there is nothing wrong with that.
Secondly, further elements consistently appear that complement the story “from the other side”. It is impossible to show the entire tenth slide at once: spoilers will appear, the contrast between events will disappear. In other places, Artyom also shows bullets consistently, and it is much easier to follow what is happening and to understand where we are at the moment.
If you want to get feedback on your performance, I’ll be happy to give it to you.
Slides can be found here .
Disclaimer: about certificates and TLS, only a parsed speech, and not the article itself.
')
Plot
It is always nice to see how the speaker finds in some common thing the pitfalls that you, yes, yes, that's exactly you, can easily hurt. These are fertile topics, they usually come to cheers. At the same time, a person who is deeply involved in what ordinary people simply use, there is always something to shock the public.
Formulation of the problem
The main part of the story (the one from which it is already possible to draw conclusions and extract recommendations) starts at around 9:40. It seems to me that by this time the viewer is still not quite clear what exactly the report is about, and this is a problem. The cover of the covers about who owns the certificate authorities and why they are still “trusted”, begins about the same about WoSign. After this, the plot no longer lets go, but I would suggest reducing the prologue.
In fact, at the beginning of the report, the latest history of encryption is outlined, the impact on Google’s ranking, Mozilla and Let's Encrypt statistics, vulnerabilities at the protocol level, as well as criticism of OpenSSL and GNU TLS are mentioned. The unifying idea is technological debt, and its main component is a lack of basic information from users, which it will tell you about ... It does not look quite logical: it rarely happens that educational activity is associated with the return of technological debt.
Bringing viewers to the topic of educational program could be different, in particular, after mentioning Google and caring for users, you can immediately move on to “let's say, for the first time you thought about implementing encryption, what tasks do you have to solve?”
Many of the elements of information mentioned in the introduction are miserable to lose, but they are naturally transferred to other sections. In particular, about Let's Encrypt, the growth in the number of those who use it and the crowdfunding campaign can be perfectly described at the end of the item “from whom to buy a certificate”.
Examples
Examples are one of those things that make this report interesting and simple enough to read. I want to note that here Artyom does everything perfectly, and urge readers to take from him, yes, an example.
Note that the stories are specific and contain details. Each mistake, as is known, has a first name, a surname and a middle name, and they are given whenever possible in the report. In October 2016, GlobalSign carried out technical work on the cross-cutting of root and intermediate certificates and accidentally withdrew all of its intermediate certificates - there are quite a few details here, which is good. Specific details, even if they are not fundamental for understanding the essence, make the narrative convincing. If the details do not take a lot of time, do not hesitate to include them in the story or not. Include unambiguously.
If the example is large-scale (in the case of GlobalSign, the problem has affected services such as Wikipedia, Dropbox, Spotify), this gives it weight.
The paradox of examples (when the first thought is WTF?) Makes the whole performance more memorable. In our case, the stories about WoSign and AES 128/256, perhaps, fit into this definition. The last story still fits perfectly on the stereotype that “the military is all stupid,” which, regardless of the real state of affairs, sits quite tightly in the heads of many of us.
Speaker behavior
Just do not think a comma that I read on a piece of paper
It makes sense to comment on the sheets with notes that Artem holds in his hands. There were a couple of reviews from viewers who did not like it, but I think that everything is fine here. Many people just as well take notes in PowerPoint, Keynote, or whatever you have there . Someone is more comfortable paper carrier, some people still read paper books. The important thing is that the speaker should address the audience, and not his notes. Sticking in the prompter screen is no better than sticking in their pieces of paper, viewers notice it equally easily. Artyom looks at the hall almost all the time and speaks with the audience, so, in my opinion, printouts to the report do not harm.
Slides
Self sufficiency
I proceed from the belief that the slides are only accompanying material that helps to show what the audience needs to see, and also helps not to be lost in thought if the story is complex. Artem clearly follows (more on this below) an attempt to make the slides self-sufficient, i.e. such that you can view and get about the same information as visiting a live performance.
I can not recommend this approach. It increases the amount of text on the slides, while the text is similar to what the speaker says. Many viewers at the same time unwittingly spend a lot of energy to compare the text of the slides with the speech and understand how they coincide. In the case, as with us, English-speaking slides and Russian oral speech, the unjustified battery consumption in the viewer's head can be very high.
Consider a few examples of what can be reduced without serious consequences (the list is not exhaustive).
Slide 26:
In WoSign sins three shot. Perhaps some of them should be omitted to reduce the volume. In addition, I would have put a link to CA: WoSign_issues in the title of the slide. This is applicable not only here, but also on some other slides: if we have only one bullet of the first level, and below it a scattering of sub-points, then it is better to put this bullet in the heading.
Slide 33:
Pro banks accurately say voice.
By the way, slides 33-34 on the video are different from those published on the conference website. This is normal, but I want to draw attention to slide 34 from the video (appears at 18:05 ):
Here, in addition to banks, there are also two copies of “more on that later”, which are completely unnecessary on the slide.
Slide 59:
Here is the same problem with the duplication of the text on the slide, which should be left only in the voice.
In general, Artem's report is such that it is difficult to accompany him with graphic materials. There is no feeling that in some places on the slides are asked charts, diagrams and pictures. In such a situation, I would suggest focusing people's attention on the speaker’s speech, and shorten the text on the screen.
Sequential show and save context
In conditions when the slides are mostly text and text is a lot, it is quite saved by the consistent display of elements on the slides and the maximum preservation of the story context unchanged. I am convinced that completing the existing picture with small steps saves the viewers power, makes perception easier. In this report, this technique is used frequently and successfully. For example, look at the introductory ten slides (first ~ 8 minutes). For further it is important to compare the second and tenth (if you opened the slides on the link, then go over the fact that between them):
First, the second and fifth slide are the same. That is, on the third and fourth speakers, he showed us the graphics that are important for the entourage, and then returns us exactly to the place from which to continue the story. Many speakers are afraid to exactly repeat the slide, which they have already shown once. So, just in case, I will say that there is nothing wrong with that.
Secondly, further elements consistently appear that complement the story “from the other side”. It is impossible to show the entire tenth slide at once: spoilers will appear, the contrast between events will disappear. In other places, Artyom also shows bullets consistently, and it is much easier to follow what is happening and to understand where we are at the moment.
Regular Parsing
If you want to get feedback on your performance, I’ll be happy to give it to you.
What is needed for this?
All this needs to be sent to the habrauzer p0b0rchy , that is, to me. I promise that the review will be constructive and polite, as well as highlight the positive aspects, and not just what needs to be improved.
- Link to the video recording of the speech.
- Link to slides.
- Application from the author. Without the consent of the speaker himself, we will not analyze anything.
All this needs to be sent to the habrauzer p0b0rchy , that is, to me. I promise that the review will be constructive and polite, as well as highlight the positive aspects, and not just what needs to be improved.
Source: https://habr.com/ru/post/331186/
All Articles