ScienceDirect® Home Skip Main Navigation Links
You have guest access to ScienceDirect. Find out more.
 
Home
Browse
My Settings
Alerts
Help
 Quick Search
 Search tips (Opens new window)
    Clear all fields    
Computer Networks
Volume 48, Issue 5, 5 August 2005, Pages 763-779
Web Security
 
Font Size: Decrease Font Size  Increase Font Size
 Abstract - selected
Article
Purchase PDF (533 K)

  E-mail Article   
  Add to my Quick Links   
Bookmark and share in 2collab (opens in new window)
Request permission to reuse this article
  Cited By in Scopus (0)
 
 
 
Related Articles in ScienceDirect
View More Related Articles
 
View Record in Scopus
 
doi:10.1016/j.comnet.2005.01.006    How to Cite or Link Using DOI (Opens New Window)
Copyright © 2005 Published by Elsevier B.V.

SSL splitting: Securely serving data from untrusted cachesstar, open

Chris Lesniewski-LaasCorresponding Author Contact Information, E-mail The Corresponding Author and M. Frans KaashoekE-mail The Corresponding Author

Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA, United States

Available online 16 February 2005.

Purchase the full-text article



References and further reading may be available for this article. To view references and further reading you must purchase this article.

Abstract

A popular technique for reducing the bandwidth load on Web servers is to serve the content from proxies. Typically these hosts are trusted by the clients and server not to modify the data that they proxy. SSL splitting is a new technique for guaranteeing the integrity of data served from proxies without requiring changes to Web clients. Instead of relaying an insecure HTTP connection, an SSL splitting proxy simulates a normal Secure Sockets Layer (SSL) connection with the client by merging authentication records from the server with data records from a cache. This technique reduces the bandwidth load on the server, while allowing an unmodified Web browser to verify that the data served from proxies is endorsed by the originating server.

SSL splitting is implemented as a patch to the industry-standard OpenSSL library, with which the server is linked. In experiments replaying two-hour access.log traces taken from LCS Web sites over an ADSL link, SSL splitting reduces bandwidth consumption of the server by between 25% and 90% depending on the warmth of the cache and the redundancy of the trace. Uncached requests forwarded through the proxy exhibit latencies within approximately 5% of those of an unmodified SSL server.

Keywords: SSL splitting; Barnraising; CDN; DHT; Untrusted proxy

Article Outline

1. Introduction
2. Goals
3. Design of SSL splitting
3.1. SSL overview
3.2. Interposing a proxy
3.3. Proxy-server protocol extensions
3.4. Dropping the encryption layer
3.5. Server-proxy signaling
4. Implementation
4.1. Server: modified OpenSSL
4.2. Proxy
4.3. Message formats
5. Cooperative Web caching using SSL splitting
5.1. Joining and leaving the proxy set
5.2. Redirection
5.3. Distributing the Web cache
5.4. Deploying barnraising
6. Evaluation
6.1. General experimental setup
6.2. Bandwidth savings for a single file
6.3. Bandwidth savings for trace-driven loads
6.3.1. Web trace files
6.3.2. Measurements
6.3.3. Simulations
6.4. Latency
7. Discussion
7.1. Transparent proxying
7.2. The implications of key exposure
7.3. Alternative proxy design
7.4. Feedback loop
8. Related work
8.1. Verifying integrity
8.2. HTTPS proxies
8.3. Content-distribution systems
9. Summary
Acknowledgements
References
Vitae













Computer Networks
Volume 48, Issue 5, 5 August 2005, Pages 763-779
Web Security
 
Home
Browse
My Settings
Alerts
Help
Elsevier.com (Opens new window)
About ScienceDirect  |  Contact Us  |  Information for Advertisers  |  Terms & Conditions  |  Privacy Policy
Copyright © 2008 Elsevier B.V. All rights reserved. ScienceDirect® is a registered trademark of Elsevier B.V.