More Web Proxy on the site http://driver.im/

research-article

Practical end-to-end web content integrity

Authors:

Alexander Moshchuk,

Collin Jackson,

Wenke LeeAuthors Info & Claims

WWW '12: Proceedings of the 21st international conference on World Wide Web

Pages 659 - 668

https://doi.org/10.1145/2187836.2187926

Published: 16 April 2012 Publication History

Abstract

Widespread growth of open wireless hotspots has made it easy to carry out man-in-the-middle attacks and impersonate web sites. Although HTTPS can be used to prevent such attacks, its universal adoption is hindered by its performance cost and its inability to leverage caching at intermediate servers (such as CDN servers and caching proxies) while maintaining end-to-end security. To complement HTTPS, we revive an old idea from SHTTP, a protocol that offers end-to-end web integrity without confidentiality. We name the protocol HTTPi and give it an efficient design that is easy to deploy for today's web. In particular, we tackle several previously-unidentified challenges, such as supporting progressive page loading on the client's browser, handling mixed content, and defining access control policies among HTTP, HTTPi, and HTTPS content from the same domain. Our prototyping and evaluation experience show that HTTPi incurs negligible performance overhead over HTTP, can leverage existing web infrastructure such as CDNs or caching proxies without any modifications to them, and can make many of the mixed-content problems in existing HTTPS web sites easily go away. Based on this experience, we advocate browser and web server vendors to adopt HTTPi.

References

[1]

About Asynchronous Pluggable Protocols. http://msdn.microsoft.com/en-us/library/aa767916(v=VS.85).aspx.

[2]

Cisco Visual Networking Index: Forecast and Methodology, 2009-2014.

[3]

Dispelling the New SSL Myth. http://devcentral.f5.com/weblogs/macvittie/archive/2011/01/31/dispelling-the-new-ssl-myth.aspx.

[4]

IInternetProtocolInfo interface.http://msdn.microsoft.com/en-us/library/aa767874(VS.85).aspx.

[5]

Network Simulator. http://www.akmalabs.com/downloads_netsim.php.

[6]

Akamai Technologies. Secure Content Delivery. http://www.akamai.com/dl/feature_sheets/fs_edgesuite_securecontentdelivery.pdf.

[7]

A. Barth, C. Jackson, and J. C. Mitchell. Securing Frame Communication in Browsers. In USENIX Security Symposium, San Jose, CA, July 2008.

Digital Library

[8]

R. J. Bayardo and J. Sorensen. Merkle Tree Authentication of HTTP Responses. In WWW, Chiba, Japan, May 2005.

Digital Library

[9]

D. E. Bell. Looking Back at the Bell-LaPadula Model. In ACSAC, Tucson, AZ, Dec. 2005.

Digital Library

[10]

D. E. Bell and L. J. LaPadula. Secure Computer Systems: Mathematical Foundations. Technical Report ESD-TR- 73-278, MITRE Corporation, Bedford, MA, Nov. 1973.

[11]

K. J. Biba. Integrity Considerations for Secure Computer Systems. Technical Report ESD-TR-76-372, MITRE Corporation, Bedford, MA, Apr. 1977.

[12]

U. Blumenthal and P. Goel. RFC 4785: Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS), 2007.

[13]

K. DeGrande. CDNetworks, Sept. 2010. Personal communication.

[14]

FiddlerCore. http://fiddler.wikidot.com/fiddlercore.

[15]

R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. RFC2616: Hypertext Transfer Protocol - HTTP/1.1, 1999.

Digital Library

[16]

S. Friedl. An Illustrated Guide to the Kaminsky DNS Vulnerability. http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html.

[17]

C. Gaspard, S. Goldberg, W. Itani, E. Bertino, and C. Nita-Rotaru. SINE: Cache-Friendly Integrity for the Web. In NPSec Workshop, Princeton, NJ, Oct. 2009.

[18]

R. Gennaro and P. Rohatgi. How to Sign Digital Streams. In CRYPTO, Santa Barbara, CA, Aug. 1997.

Digital Library

[19]

S. Hanna, R. Shin, D. Akhawe, P. Saxena, A. Boehm, and D. Song. The Emperor's New APIs: On the (In)Secure Usage of New Client-side Primitives. In W2SP, Oakland, CA, May 2010.

[20]

J. Hodges, C. Jackson, and A. Barth. HTTP Strict Transport Security (HSTS), 2010. http://tools.ietf.org/html/draft-hodges-strict-transport-sec.

[21]

C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh. Protecting Browsers from DNS Rebinding Attacks. InCCS, Alexandria, VA, Oct. 2007.

Digital Library

[22]

V. Jirasek. Overcoming man in the middle attack on Strict Transport Security, Aug. 2010. http://www.jirasekonsecurity.com/2010/08/overcoming-man-in-middle-attack-on.html.

[23]

A. Langley, N. Modadugu, and W.-T. Chang. Overclocking SSL. In Velocity: Web Performance and Operations Conference, Santa Clara, CA, June 2010.http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html.

[24]

E. Lawrence. Fiddler Web Debugging Tool. http://www.fiddler2.com/fiddler2/.

[25]

D. Mosberger and T. Jin. httperf--A Tool for Measuring Web Server Performance.Performance Evaluation Review, 26(3):31--37, 1998.

Digital Library

[26]

S. Ramachandran. Let's make the web faster.http://code.google.com/speed/articles/web-metrics.html.

[27]

C. Reis, S. D. Gribble, T. Kohno, and N. C. Weaver. Detecting In-Flight Page Changes with Web Tripwires. In NSDI, San Francisco, CA, Apr. 2008.

Digital Library

[28]

E. Rescorla. RFC 2818: HTTP Over TLS, 2000.

Digital Library

[29]

E. Rescorla. and A. Schiffman. RFC2660: The Secure Hypertext Transfer Protocol, 1999.

Digital Library

[30]

J. Ruderman. Same Origin Policy for JavaScript. http://www.mozilla.org/projects/security/components/same-origin.html.

[31]

S. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2007.

Digital Library

[32]

K. Singh, A. Moshchuk, H. J. Wang, and W. Lee. On the Incoherencies in Web Browser Access Control Policies. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2010.

Digital Library

[33]

S. Stamm, B. Sterne, and G. Markham. Reining in the Web with Content Security Policy. In WWW, Raleigh, NC, Apr. 2010.

Digital Library

[34]

A. Stubblefield, A. D. Rubin, and D. S. Wallach. Managing the Performance Impact of Web Security.Electronic Commerce Research, 5:99--116, January 2005.

Digital Library

[35]

H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. In SOSP, Stevenson, WA, Oct. 2007.

Digital Library

[36]

H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The Multi-Principal OS Construction of the Gazelle Web Browser. In USENIX Security Symposium, Montreal, Canada, Aug. 2009.

Digital Library

[37]

A. Wolman, G. M. Voelker, N. Sharma, N. Cardwell, A. Karlin, and H. M. Levy. On the Scale and Performance of Cooperative Web Proxy Caching. In SOSP, Charleston, SC, Dec. 1999.

Digital Library

Cited By

Zemanek STauchert SUfer MBruckschen L(2024)Web Content Integrity: Tamper-Proof Websites Beyond HTTPSICT Systems Security and Privacy Protection10.1007/978-3-031-56326-3_1(1-14)Online publication date: 24-Apr-2024
https://doi.org/10.1007/978-3-031-56326-3_1
Chua MYee GGu YLung C(2020)Threats to Online Advertising and CountermeasuresDigital Threats: Research and Practice10.1145/33741361:2(1-27)Online publication date: 29-May-2020
https://dl.acm.org/doi/10.1145/3374136
Kogan DStern HTolbert AMazières DWinstein K(2017)The Case For Secure DelegationProceedings of the 16th ACM Workshop on Hot Topics in Networks10.1145/3152434.3152444(15-21)Online publication date: 30-Nov-2017
https://dl.acm.org/doi/10.1145/3152434.3152444
Show More Cited By

Index Terms

Practical end-to-end web content integrity
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

An End-to-End Measurement of Certificate Revocation in the Web's PKI
IMC '15: Proceedings of the 2015 Internet Measurement Conference

Critical to the security of any public key infrastructure (PKI) is the ability to revoke previously issued certificates. While the overall SSL ecosystem is well-studied, the frequency with which certificates are revoked and the circumstances under which ...
A constraint-based tool for data integrity management on the web
ICUIMC '10: Proceedings of the 4th International Conference on Uniquitous Information Management and Communication

Today, publishing information on Web sites is common. And the size of the Web contents that need to be managed is increasing. Therefore it is important to maintain content integrities on the Web. This paper proposes a system to maintain the content ...
Improving end-to-end performance of the Web using server volumes and proxy filters
SIGCOMM '98: Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication

The rapid growth of the World Wide Web has caused serious performance degradation on the Internet. This paper offers an end-to-end approach to improving Web performance by collectively examining the Web components --- clients, proxies, servers, and the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '12: Proceedings of the 21st international conference on World Wide Web

April 2012

1078 pages

ISBN:9781450312295

DOI:10.1145/2187836

General Chairs:
Alain Mille
Université de Lyon, France
,
Fabien Gandon
INRIA, France
,
Jacques Misselis
HP, France
,
Program Chairs:
Michael Rabinovich
Case Western Reserve University, USA
,
Steffen Staab
University of Koblenz-Landau, Germany

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Univ. de Lyon: Universite de Lyon

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 April 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW 2012

Sponsor:

Univ. de Lyon

WWW 2012: 21st World Wide Web Conference 2012

April 16 - 20, 2012

Lyon, France

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
435
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)4

Reflects downloads up to 23 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zemanek STauchert SUfer MBruckschen L(2024)Web Content Integrity: Tamper-Proof Websites Beyond HTTPSICT Systems Security and Privacy Protection10.1007/978-3-031-56326-3_1(1-14)Online publication date: 24-Apr-2024
https://doi.org/10.1007/978-3-031-56326-3_1
Chua MYee GGu YLung C(2020)Threats to Online Advertising and CountermeasuresDigital Threats: Research and Practice10.1145/33741361:2(1-27)Online publication date: 29-May-2020
https://dl.acm.org/doi/10.1145/3374136
Kogan DStern HTolbert AMazières DWinstein K(2017)The Case For Secure DelegationProceedings of the 16th ACM Workshop on Hot Topics in Networks10.1145/3152434.3152444(15-21)Online publication date: 30-Nov-2017
https://dl.acm.org/doi/10.1145/3152434.3152444
Calzavara SFocardi RSquarcina MTempesta M(2017)Surviving the WebACM Computing Surveys10.1145/303892350:1(1-34)Online publication date: 6-Mar-2017
https://dl.acm.org/doi/10.1145/3038923
Sivabalan SRadcliffe P(2017)Detecting IoT zombie attacks on web servers2017 27th International Telecommunication Networks and Applications Conference (ITNAC)10.1109/ATNAC.2017.8215358(1-3)Online publication date: Nov-2017
https://doi.org/10.1109/ATNAC.2017.8215358
Afanasyev AHalderman JRuoti SSeamons KYu YZappala DZhang LGates CBöhme REgelman SMannan M(2016)Content-based security for the webProceedings of the 2016 New Security Paradigms Workshop10.1145/3011883.3011890(49-60)Online publication date: 26-Sep-2016
https://dl.acm.org/doi/10.1145/3011883.3011890
Backes MGerling RGerling SNürnberger SSchröder DSimkin M(2014)WebTrust – A Comprehensive Authenticity and Integrity Framework for HTTPApplied Cryptography and Network Security10.1007/978-3-319-07536-5_24(401-418)Online publication date: 2014
https://doi.org/10.1007/978-3-319-07536-5_24
Fayazbakhsh SLin YTootoonchian AGhodsi AKoponen TMaggs BNg KSekar VShenker S(2013)Less pain, most of the gainACM SIGCOMM Computer Communication Review10.1145/2534169.248602343:4(147-158)Online publication date: 27-Aug-2013
https://dl.acm.org/doi/10.1145/2534169.2486023
Fayazbakhsh SLin YTootoonchian AGhodsi AKoponen TMaggs BNg KSekar VShenker SChiu DWang JBarford PSeshan S(2013)Less pain, most of the gainProceedings of the ACM SIGCOMM 2013 conference on SIGCOMM10.1145/2486001.2486023(147-158)Online publication date: 12-Aug-2013
https://dl.acm.org/doi/10.1145/2486001.2486023
Hallgren PMauritzson DSabelfeld ANaldurg PSwamy N(2013)GlassTubeProceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security10.1145/2465106.2465432(71-82)Online publication date: 20-Jun-2013
https://dl.acm.org/doi/10.1145/2465106.2465432
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents