ECDSA for TLS

Implemented a 256-bit ECDSA key and certificate for TLS connections to Bitbucket Cloud - initially just secondary certificates, such as for bitbucket.io hosted pages and for api.bitbucket.org, but eventually for the primary certificate (bitbucket.org). User agents indicate their key-signing compatibility during ClientHello; if they support ECDSA, then the load balancers (which terminate that TLS session) will use the ECDSA key to sign outgoing packets.

Almost all HTTPS traffic through bitbucket.org and its associated hostnames now uses an ECDSA certificate. The smaller ECDSA certificate reduces memory usage on the load balancing layer; it slightly reduces packet-signing latency; and it offers better security for packets in transit. Bitbucket is also still the only major repository host to use ECDSA for TLS.

Project link: https://bitbucket.org/blog/renewing-certificates-plural

Nifty tech tag lists fromĀ Wouter Beeftink