Protecting Netflix Viewing Privacy at Scale

Netflix Technology Blog
5 min readadvanced
--
View Original

Overview

The article discusses Netflix's efforts to enhance viewing privacy by implementing Transport Layer Security (TLS) encryption for video streams while maintaining high efficiency. It outlines the technical challenges and solutions involved in integrating TLS into their Open Connect Appliances (OCAs) without compromising performance.

What You'll Learn

1

How to implement TLS encryption for video streams

2

Why AES-GCM is preferred over AES-CBC for encryption

3

How to optimize data paths for encryption in high-performance systems

Prerequisites & Requirements

  • Understanding of encryption standards and protocols
  • Familiarity with OpenSSL and its alternatives like BoringSSL and ISA-L(optional)

Key Questions Answered

How does Netflix ensure the privacy of its viewers?
Netflix enhances viewer privacy by implementing TLS encryption for video streams, which protects user data from eavesdropping, especially over insecure networks. This addition helps secure customer information and viewing habits against potential threats.
What cipher does Netflix use for video stream encryption?
Netflix primarily uses the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) for encrypting video streams. This method is preferred due to its efficiency in encrypting and authenticating data simultaneously, which reduces computational overhead.
What performance improvements were achieved with the new encryption methods?
The implementation of BoringSSL and ISA-L AES-GCM resulted in performance increases of up to 30% compared to the baseline OpenSSL setup. This enhancement allows Netflix to add TLS encryption without significant performance degradation.
How does Netflix optimize data flow for TLS encryption?
Netflix designed a hybrid TLS scheme that allows session management in the application space while integrating bulk encryption into the kernel's sendfile data pipeline. This approach retains the efficiency of the sendfile model while enabling TLS functionality.

Key Statistics & Figures

Throughput increase from 2012 to 2016
From 8 Gbps to over 90 Gbps
This statistic highlights the significant advancements in the efficiency of Netflix's Open Connect Appliances over a four-year period.
Performance improvement with new implementations
Up to 30%
This improvement was measured against the baseline performance of OpenSSL without sendfile changes, demonstrating the effectiveness of the new encryption methods.
Daily content served by Netflix Open Connect
Over 125 million hours
This figure illustrates the scale at which Netflix operates and the importance of maintaining efficiency while enhancing security.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Operating System
Freebsd
Used as the operating system for Open Connect Appliances.
Web Server
Nginx
Runs on Open Connect Appliances to serve Netflix content.
Encryption Standard
Aes-gcm
Chosen for encrypting video streams due to its efficiency.
Encryption Library
Boringssl
Evaluated as an alternative to OpenSSL for implementing AES-GCM.
Encryption Library
Intel Intelligent Storage Acceleration Library (isa-l)
Tested for its performance in AES-GCM implementation.

Key Actionable Insights

1
Implementing TLS encryption can significantly enhance data security for streaming services.
Given the increasing threats to user privacy, adopting TLS is essential for any service handling sensitive information, especially in environments with insecure networks.
2
Choosing the right cipher is crucial for maintaining performance while ensuring security.
Using AES-GCM over AES-CBC can lead to better performance due to its simultaneous encryption and authentication, making it a preferred choice for high-throughput applications.
3
Optimizing data paths can lead to substantial performance gains in high-demand environments.
By refining data flow and reducing unnecessary traversals, organizations can enhance their system's efficiency, especially when implementing encryption in real-time applications.

Common Pitfalls

1
Failing to consider the performance impact of encryption on streaming services.
Many organizations underestimate the overhead introduced by encryption, which can lead to degraded user experiences if not properly managed. It's essential to evaluate and optimize encryption methods to maintain service quality.

Related Concepts

Transport Layer Security (tls)
Advanced Encryption Standard (aes)
Open Connect Appliances (ocas)
Digital Rights Management (drm)