Thursday, July 25, 2013

NetflixOSS Meetup Series 1 Episode 3 - Featured Contributions

by Adrian Cockcroft and Ruslan Meshenberg

Our third NetflixOSS Meetup introduced our latest project releases, updates on the NetflixOSS Cloud Prize, and featured demonstrations from contributors as well as many Netflix projects.

The projects we covered in the lightning presentations were:
  • Pytheas - A web based framework for quickly building dashboards
  • Conformity Monkey - Maintain best practices for cloud deployments
  • Zuul - Edge tier for dynamic filtering of requests
  • Ice - AWS usage and cost analysis tool
  • Genie - Hadoop platform abstraction service for EMR
  • Lipstick - Visualization of Pig workflows

We had demonstrations of the above projects plus from NetflixOSS contributors:
  • Eucalyptus - V3.3 is now in production with support for NetflixOSS tools
  • IBM - Scalable implementation of Acme Air demo using NetflixOSS
  • Paypal - Rewrite of Asgard console to support Openstack deployments
  • Riot Games - Cloud Native architecture based on many NetflixOSS projects

There was another good turnout, beer, wine, plenty of greek food and lots of discussion around the demo stations. In the afternoon before the meetup we had a workshop/bootcamp with a small number of our most active NetflixOSS contributors. We were able to help them with their projects while also getting a lot of extremely useful feedback on many aspects of the NetflixOSS program.

We are happy with the way that NetflixOSS is helping raise awareness of Cloud Native architecture, and how it has been adopted by larger organizations. It is in use at places like Riot Games that employ some ex-Netflix engineers, who continue to contribute code that Netflix uses even though we no longer need to pay them! However we are aware that individual Cloud Prize contestants and smaller organizations are suffering from "Technical Indigestion" because there is too much here for people to absorb and to get up and running quickly. To address this we have been concentrating our efforts on making it easier to get started. We were able to announce our first official Netflix AMI for Asgard at the event, and will be producing more of them in the coming weeks. We also have contributions to the NetflixOSS Cloud Prize which include Puppet based AMIs, a Chef Cookbook for Ice, and Ansible Playbooks.

The NetflixOSS Cloud Prize has inspired some additional prizes, Citrix have said they will give $10K to the best contribution to getting NetflixOSS to work with Apache Cloudstack. In addition Canonical have created their own contest (based on a fork of the NetflixOSS Cloud Prize rules) for their Ubuntu Juju orchestration application, to create Juju Charms that install and manage applications based on combinations of individual services. There are several prizes of $10K available. Canonical want to encourage the creation Juju charms for installing NetflixOSS based applications and Mark Shuttleworth of Canonical will be joining the NetflixOSS Cloud Prize judges, while Adrian Cockcroft will help judge the Juju Charm Championship.

We have an outline plan to hold another NetflixOSS Meetup after the deadline for the NetflixOSS Cloud Prize on September 15th, where we will reveal the Nominations in each category. The final prize winners will be announced and receive their prizes at AWS Re:Invent, November in Las Vegas.

We hope to see you there!

Here's the slides:

And the video:
NetflixOSS S1 E3 Video

Monday, July 15, 2013

NfWebCrypto: a Web Cryptography API Native Polyfill

At Netflix we are excited to build an HTML5-based player for our service, as described in a previous blog post.  One of the “Premium Video Extensions” mentioned in that post is the Web Cryptography API, which “describes a JavaScript API for performing basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption.” Netflix uses this API to secure the communication between our JavaScript and the Netflix servers.

The Web Cryptography WG of the W3C (of which Netflix is a member) produces the Web Cryptography API specification. Currently the spec is in the Working Draft stage and some browser vendors are waiting until the spec is more finalized before proceeding with their implementations. A notable exception is Microsoft, who worked with us to implement a draft version of the spec in Internet Explorer 11 for Windows 8.1 Preview, which now allows plugin-free Netflix video streaming.

To continue integrating our HTML5 application with other browsers, we decided to implement a polyfill based on the April 22, 2013 Editor’s Draft of the Web Cryptography API specification plus some other proposals under discussion. While similar in principle to JavaScript-based Web Crypto polyfills such as PolyCrypt, ours is implemented in native C++ (using OpenSSL 1.0.1c) to avoid the security risks of doing crypto in pure JavaScript. And because crypto functionality does not require deep browser integration, we were able to implement the polyfill as a stand-alone browser plugin, with our first implementation targeting Google’s Chrome browser using the Pepper Plugin API (PPAPI) framework.

So that you can also experiment with cryptography on the web, and to support the ongoing development of the specification in the W3C, we’ve released this NfWebCrypto plugin implementation as open source under the Apache Version 2.0 license. While NfWebCrypto is not yet a complete implementation of the Web Cryptography API, and may differ from the most recent version of the rapidly changing spec, we believe it has the mainstream crypto features many web applications will require. This means that you can use this plugin to try a version of the Web Cryptography API now, before it comes to your favorite browser.

At the moment the plugin is only supported in Chrome on Linux amd64 (tested in Ubuntu 12.04). For the latest details of what works and what does not, please see the README file in the NfWebCrypto GitHub repository. Here is a summary of the algorithms that are currently supported:

  • SHA1, SHA224, SHA256, SHA384, SHA512: digest
  • HMAC SHA: sign, verify, importKey, exportKey, generateKey
  • AES-128 CBC w/ PKCS#5 padding: encrypt, decrypt, importKey, exportKey, generateKey
  • RSASSA-PKCS1-v1_5: sign, verify, importKey, generateKey
  • RSAES-PKCS1-v1_5: encrypt, decrypt, importKey, exportKey, generateKey
  • Diffie-Hellman: generateKey, deriveKey
  • RSA-OAEP: wrapKey*, unwrapKey*
  • AES-KW: wrapKey*, unwrapKey*
*Wrap/Unwrap operations follow the Netflix KeyWrap Proposal and support protection of the JWE payload with AES128-GCM.

NfWebCrypto will of course be obsolete once browser vendors complete their implementations. In the meantime, this plugin is a stop-gap measure to allow people to move forward with cryptography on the web.  Since finalization of the spec may still be some time away, we hope the community will benefit from this early look. We also hope that a concrete implementation will provide a backdrop against which the evolving spec can be evaluated. Finally, the NfWebCrypto JavaScript unit tests and perhaps the actual C++ implementation may be useful references for browser vendors.

Moving forward, we plan to keep pace with the W3C spec the best we can as it evolves. We welcome contributions to NfWebCrypto from the open source community, particularly in the areas of security audits, expanding the unit tests, and porting to other browser plugin frameworks and platforms.

You can find NfWebCrypto at the Netflix Open Source Center on GitHub.