More Web Proxy on the site http://driver.im/

article

SSL splitting: Securely serving data from untrusted caches

Authors:

Chris Lesniewski-Laas,

M. Frans KaashoekAuthors Info & Claims

Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 48, Issue 5

Pages 763 - 779

Published: 05 August 2005 Publication History

Abstract

A popular technique for reducing the bandwidth load on Web servers is to serve the content from proxies. Typically these hosts are trusted by the clients and server not to modify the data that they proxy. SSL splitting is a new technique for guaranteeing the integrity of data served from proxies without requiring changes to Web clients. Instead of relaying an insecure HTTP connection, an SSL splitting proxy simulates a normal Secure Sockets Layer (SSL) connection with the client by merging authentication records from the server with data records from a cache. This technique reduces the bandwidth load on the server, while allowing an unmodified Web browser to verify that the data served from proxies is endorsed by the originating server. SSL splitting is implemented as a patch to the industry-standard OpenSSL library, with which the server is linked. In experiments replaying two-hour access.log traces taken from LCS Web sites over an ADSL link, SSL splitting reduces bandwidth consumption of the server by between 25% and 90% depending on the warmth of the cache and the redundancy of the trace. Uncached requests forwarded through the proxy exhibit latencies within approximately 5% of those of an unmodified SSL server. ding on the warmth of the cache and the redundancy of the trace. Uncached requests forwarded through the proxy exhibit latencies within approximately 5% of those of an unmodified SSL server.

References

[1]

M. Abrams, C.R. Standridge, G. Abdulla, S. Williams, E.A. Fox, Caching proxies: limitations and potentials, in: Proceedings of the 4th International World-Wide Web Conference, Boston, MA, December 1995

[2]

G. Apostolopoulos, V. Peris, D. Saha, Transport layer security: how much does it really cost? in: Proceedings of INFOCOM, IEEE Computer and Communications Societies, 1999

[3]

G. Barish, K. Obraczka, World wide Web caching: trends and techniques, IEEE Communications Magazine Internet Technology Series, May 2000

Digital Library

[4]

A. Barbir, B. Cain, R. Nair, O. Spatscheck, Known content network (CN) request-routing mechanisms, RFC 3568, NetworkWorking Group, July 2003

[5]

I. Clarke, O. Sandberg, B. Wiley, T.W. Hong, Freenet: a distributed anonymous information storage and retrieval system, in: Proceedings of ICSI Workshop on Design Issues in Anonymity and Unobservability, Berkeley, CA, June 2000. Available from: <http://freenet.sourceforge.net>

Digital Library

[6]

C. Coarfa, P. Druschel, D. Wallach, Performance analysis of TLS Web servers, in: M. Tripunitara (Ed.), Proceedings of NDSS, Internet Society, February 2002

[7]

B. Cohen, BitTorrent. Available from: <http://www.bittorrent.com/>

[8]

F. Dabek, M.F. Kaashoek, D. Karger, R. Morris, I. Stoica, Wide-area cooperative storage with CFS, in: Proceedings of 18th ACM Symposium on Operating Systems Principles (SOSP '01), October 2001

Digital Library

[9]

T. Dierks, E. Rescorla, The TLS protocol version 1.1, Internet draft (draft-ietf-tls-rfc2246-bis-09.txt), Network Working Group, December 2004 (work in progress)

[10]

B.M. Duska, D. Marwood, M.J. Freeley, The measured access characteristics of World-Wide-Web client proxy caches, in: Proceedings of the Usenix Symposium on Internet Technologies and Systems, Monterey, CA, 1997

Digital Library

[11]

FIPS 180-1, Secure Hash Standard, US Department of Commerce/N.I.S.T., National Technical Information Service, Springfield, VA, April 1995

[12]

J. Flinn, S. Sinnamahidee, M. Satyanarayanan, Data staging on untrusted surrogates, Tech. Rep. IRP-TR-02-2, Intel Research, May 2002

[13]

A.O. Freier, P. Karlton, P.C. Kocher, The SSL protocol version 3.0, Internet draft (draft-freier-ssl-version3-02.txt), Network Working Group, November 1996 (work in progress)

[14]

Fu, K., Kaashoek, M.F. and Mazières, D., Fast and secure distributed read-only file system. ACM Trans. Comput. Syst. v20 i1. 1-24.

Digital Library

[15]

S. Iyer, A. Rowstron, P. Druschel, Squirrel: a decentralized, peer-to-peer Web cache, in: 21st ACM Symposium on Principles of Distributed Computing (PODC 2002), July 2002

Digital Library

[16]

J. Jannotti, D.K. Gifford, K.L. Johnson, M.F. Kaashoek, J.W. O'toole, Jr., Overcast: reliable multicasting with an overlay network, in: Proceedings of the 4th OSDI, October 2002, pp. 197-212

Digital Library

[17]

D. Karger, T. Leighton, D. Lewin, A. Sherman, Web caching with consistent hashing, in: The Eighth Word Wide Web Conference, Toronto, Canada, May 1999

Digital Library

[18]

T. Kelly, D. Reeves, Optimal Web cache sizing: scalable methods for exact solutions, in: Proceedings of the 5th International Web Caching and Content Delivery Workshop, 2000

[19]

B. Krishnamurthy, C. Wills, Y. Zhang, On the use and performance of content distribution networks, Tech. Rep. TD-52AMHL, ATT Research Labs, August 2001

Digital Library

[20]

J. Kubiatowicz, D. Bindel, Y. Chen, S. Czerwinski, P. Eaton, D. Geels, R. Gummadi, S. Rhea, H. Weatherspoon, W. Weimer, C. Wells, B. Zhao, OceanStore: an architecture for global-scale persistent storage, in: Proceedings of the Ninth international Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2000), Boston, MA, November 2000, pp. 190-201

Digital Library

[21]

N. Modadugu, E.-J. Goh, The design and implementation of WASP: a widearea secure proxy, Tech. Rep., Stanford, October 2002. Available from: <http://crypto.stanford.edu/~eujin/papers/wasp.ps>

[22]

D. Moore, MyDNS. Available from: <http://mydns.bboy.net/>

[23]

MYSQL AB, MySQL database server. Available from: <http://www.mysql.com/>

[24]

In: Oram, A. (Ed.), Peer-to-peer: Harnessing the power of disruptive technologies, O'Reilly, Sebastopol, CA.

Digital Library

[25]

E. Rescorla, HTTP over TLS, RFC 2818, Network Working Group, May 2000

[26]

Rescorla, E., SSL and TLS. 2001. Addison-Wesley, Reading, MA.

[27]

E. Rescorla, A. Schiffman, The Secure HyperText Transfer Protocol, RFC 2660, Network Working Group, 1999

[28]

A. Rowstron, P. Druschel, Storage management and caching in PAST, a largescale, persistent peer-to-peer storage utility, in: Proceedings of 18th ACM Symposium on Operating Systems Principles (SOSP '01), October 2001

Digital Library

[29]

SAFEWEB, Triangle Boy Whitepaper. Available from: <http://web.archive.org/web/20030417171335>/<http://www.safeweb.com/tboy_whitepaper.html>

[30]

H. Shacham, D. Boneh, Fast-track session establishment for TLS, in: M. Tripunitara (Ed.), Proceedings of NDSS, Internet Society, February 2002, pp. 195-202. Available from: <http://hovav.net/>

[31]

S. Tucke, V. Welch, D. Engert, L. Pearlman, M. Thompson, Internet X.509 public key infrastructure proxy certificate profile, RFC 3820, Network Working Group, June 2004

[32]

D. Wessels, Squid internet object cache. Available from: <http://squid.nlanr.net/Squid/>

[33]

<http://www.rpm.org/>, RPM software packaging tool. Available from: <http://www.rpm.org/>

[34]

M.J. Freedman, E. Freudenthal, D. Mazières, Democratizing content publication with Coral, in: Proceedings of the 1st USENIX/ACM Symposium on Networked Systems Design and Implementation (NSDI '04), San Francisco, CA, March 2004

Digital Library

Cited By

(2019)A delegation token-based method to authenticate the third party in TLSInternational Journal of High Performance Computing and Networking10.5555/3319261.331926513:2(164-174)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.5555/3319261.3319265
Kogan DStern HTolbert AMazières DWinstein K(2017)The Case For Secure DelegationProceedings of the 16th ACM Workshop on Hot Topics in Networks10.1145/3152434.3152444(15-21)Online publication date: 30-Nov-2017
https://dl.acm.org/doi/10.1145/3152434.3152444
Afanasyev AHalderman JRuoti SSeamons KYu YZappala DZhang LGates CBöhme REgelman SMannan M(2016)Content-based security for the webProceedings of the 2016 New Security Paradigms Workshop10.1145/3011883.3011890(49-60)Online publication date: 26-Sep-2016
https://dl.acm.org/doi/10.1145/3011883.3011890

Index Terms

SSL splitting: Securely serving data from untrusted caches

Recommendations

SSL splitting: securely serving data from untrusted caches
SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium - Volume 12

A popular technique for reducing the bandwidth load on Web servers is to serve the content from proxies. Typically these hosts are trusted by the clients and server not to modify the data that they proxy. SSL splitting is a new technique for ...
A study of the impact of DNS resolvers on CDN performance using a causal approach

Resources such as Web pages or videos that are published in the Internet are referred to by their Uniform Resource Locator (URL). If a user accesses a resource via its URL, the host name part of the URL needs to be translated into a routable IP address. ...
Analyzing the Performance of an Anycast CDN
IMC '15: Proceedings of the 2015 Internet Measurement Conference

Content delivery networks must balance a number of trade-offs when deciding how to direct a client to a CDN server. Whereas DNS-based redirection requires a complex global traffic manager, anycast depends on BGP to direct a client to a CDN front-end. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computer Networks: The International Journal of Computer and Telecommunications Networking

Computer Networks: The International Journal of Computer and Telecommunications Networking Volume 48, Issue 5

Web security

5 August 2005

128 pages

ISSN:1389-1286

Issue’s Table of Contents

Copyright © © 2005.

Publisher

Elsevier North-Holland, Inc.

United States

Publication History

Published: 05 August 2005

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

(2019)A delegation token-based method to authenticate the third party in TLSInternational Journal of High Performance Computing and Networking10.5555/3319261.331926513:2(164-174)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.5555/3319261.3319265
Kogan DStern HTolbert AMazières DWinstein K(2017)The Case For Secure DelegationProceedings of the 16th ACM Workshop on Hot Topics in Networks10.1145/3152434.3152444(15-21)Online publication date: 30-Nov-2017
https://dl.acm.org/doi/10.1145/3152434.3152444
Afanasyev AHalderman JRuoti SSeamons KYu YZappala DZhang LGates CBöhme REgelman SMannan M(2016)Content-based security for the webProceedings of the 2016 New Security Paradigms Workshop10.1145/3011883.3011890(49-60)Online publication date: 26-Sep-2016
https://dl.acm.org/doi/10.1145/3011883.3011890

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents