BT

Netflix Releases Open Source Message Security Layer

| by Chris Swan Follow 621 Followers on Nov 24, 2014. Estimated reading time: 2 minutes |

Netflix have announced the release of the Message Security Layer protocol (MSL), which they describe as ‘A Modern Take on Securing Communication’. The project is available on github under the Apache 2.0 license, with implementations in Java and JavaScript. The high level goals of the protocol are to improve performance, be cross language, flexible and extensible, standards compatible and offer automatic error recovery.

Improved performance is one of the most notable features of MSL, and according to Netflix’s former Chief Architect, Adrian Cockcroft, the project was known internally as ‘Missile’ due to speedup on offer. MSL is used in combination with HTTP versus the previous mix of HTTPS and an in house protocol known as NTBA. This eliminates the latency caused by a SSL/TLS handshake for new connections, allowing MSL to offer similar request/response performance to existing connections.

To minimize network round-trips MSL attempts to perform authentication, key negotiation, and renewal operations while it is also transmitting application data. As a result MSL does not impose any additional network round trips and only minimal data overhead.

The protocol can be used in two deployment models (described as ‘MSL network types’), and a single device can join multiple MSL networks simultaneously:

  1. Trusted services network. In this model a client device connects to multiple servers that share access to the same back end cryptographic secrets.
  2. Peer-to-peer network. This model makes use of mutual authentication between peers where there is no pre-established trust in place.

MSL has been designed to improve the efficiency and user experience of Netflix’s video on demand service. Since it focusses on constrained devices such as web browsers, game consoles and consumer electronics it is likely that the protocol will also find uses for those building Internet of Things applications (especially if a port of the client code to C/C++ emerges).

The protocol has received criticism in forums such as Reddit and Hacker News for its proprietary origins and lack of a public security audit. Some of the objections stem from a general discomfort with digital rights management (DRM) systems, where Netflix is obliged to provide content protection in order to satisfy copyright holders. Since DRM systems are a popular target for technical attacks the resilience of MSL and its implementations will surely be tested, and the outcome will be sufficiently visible. Perhaps the most important element of MSL is decoupling transport security from public key infrastructure (PKI), which has become one of the most troublesome areas for typical SSL/TLS implementations (with Moxie Marlinspike and Ben Laurie doing a great job of documenting the issues).

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss
BT