Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou CS Dept., Duke University.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

RASPro is a secure high performance remote application delivery platform through a perfect combination of application hosting and application streaming.

Chapter 17 Networking Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

1. 2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.

Pervasive Web Content Delivery with Efficient Data Reuse Chi-Hung Chi and Cao Yang School of Computing National University of Singapore

Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.

19 Historical overview Main challenge: How to distribute content in high quality over the Internet cost-effectively? • Traditional “Best-effort” model:

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Chapter 2: Application Layer

The Internet Useful Definitions and Concepts About the Internet.

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

What’s a Web Cache? Why do people use them? Web cache location Web cache purpose There are two main reasons that Web cache are used:  to reduce latency.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

V1.00 © 2009 Research In Motion Limited Introduction to Mobile Device Web Development Trainer name Date.

Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Web Caching Schemes For The Internet – cont. By Jia Wang.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

1 Web Servers (IIS and Apache) Outline 9.1 Introduction 9.2 HTTP Request Types 9.3 System Architecture 9.4 Client-Side Scripting versus Server-Side Scripting.

IT 210 The Internet & World Wide Web introduction.

DNN Performance & Scalability Planning, Evaluating & Improving : Part 2.

Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.

BitTorrent Presentation by: NANO Surmi Chatterjee Nagakalyani Padakanti Sajitha Iqbal Reetu Sinha Fatemeh Marashi.

SAINT ‘01 Proactive DNS Caching: Addressing a Performance Bottleneck Edith Cohen AT&T Labs-Research Haim Kaplan Tel-Aviv University.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

1 Configurable Security for Scavenged Storage Systems NetSysLab The University of British Columbia Abdullah Gharaibeh with: Samer Al-Kiswany, Matei Ripeanu.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.

A Measurement Based Memory Performance Evaluation of High Throughput Servers Garba Isa Yau Department of Computer Engineering King Fahd University of Petroleum.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Application Services COM211 Communications and Networks CDA College Theodoros Christophides

Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 8 Omar Meqdadi Department of Computer Science and Software Engineering University of.

PEERSPECTIVE.MPI-SWS.ORG ALAN MISLOVE KRISHNA P. GUMMADI PETER DRUSCHEL BY RAGHURAM KRISHNAMACHARI Exploiting Social Networks for Internet Search.

BASIC INTERNET PROTOCOLS: http, ftp, telnet. Mirela Walczak.

Empirical Quantification of Opportunities for Content Adaptation in Web Servers Michael Gopshtein and Dror Feitelson School of Engineering and Computer.

1 Firewalls - Introduction l What is a firewall? –Firewalls are frequently thought of as a very complex system that is some sort of magical, mystical..

Introduction and Principles Web Server Scripting.

Content Delivery Networks: Status and Trends Speaker: Shao-Fen Chou Advisor: Dr. Ho-Ting Wu 5/8/

1 COMP 431 Internet Services & Protocols HTTP Persistence & Web Caching Jasleen Kaur February 11, 2016.

Overview on Web Caching COSC 513 Class Presentation Instructor: Prof. M. Anvari Student name: Wei Wei ID:

SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.

@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.

Presented By Hareesh Pattipati.  Introduction  Firewall Environments  Type of Firewalls  Future of Firewalls  Conclusion.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

BUILD SECURE PRODUCTS AND SERVICES

WWW and HTTP King Fahd University of Petroleum & Minerals

Affinity Depending on the application and client requirements of your Network Load Balancing cluster, you can be required to select an Affinity setting.

Authentication & .htaccess

Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.

Securing the Network Perimeter with ISA 2004

Web Caching? Web Caching:.

Internet Networking recitation #12

Department of Computer Science University of Calgary

Privacy Through Anonymous Connection and Browsing

Web Servers (IIS and Apache)

MicroToken Exchange Data Security Solutions

Presentation transcript:

Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou CS Dept., Duke University May, 2015

Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works 2

Introduction HTTPS  HTTP on top of SSL/TLS  Safe – Prevailed nowadays Over 50% traffic! But does the “S” come for free? 3 Image references from:

Introduction Is the “S” free?  No! Page Load Time (PLT)  More RTTs for establishing connections  Key exchange  Decryption/Encryption 4 Image references from: iis.aspx

Introduction Middle Boxes  Inspecting packets and optimizing end-user performance are prevented 5 KaKa KbKb Cache Not Hit!! KaKa KbKb

Introduction All-or-nothing choice nowadays  HTTP – Quick, but not safe  HTTPS – Safe, but not quick Trade-off  Make the Internet Quick and Of course Safe, Too 6

Introduction Our overall goal Short load time and low overhead  Leverage the benefits of HTTP Simple High efficiency Security is not compromised  Serve the objects via HTTPS Ensure security 7

Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works 8

Challenges How to combine the two aspects of our goal together?  The straw man solution is trivial: deploy both of them at the same time Why do some people not prefer mixed content?  Man in the Middle Attacks  Stripping Attacks 9

Challenges Man in the Middle Attacks  Unsecure data can be hijacked and threats the secure part 10

Challenges Stripping Attacks 11 Image references from: Defeating-SSL.pdf

Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works 12

Solution Q: How to combine HTTP and HTTPS? Key observations  Not everything needs to be encrypted  The data that indeed need to be encrypted may NOT need to be cached  HTTPS connections are not well utilized and may be harmful HTTPS handshake can account for over 42% of data exchanged Key idea  Use HTTP for as many objects as possible 13

Solution Classify the Web Content  Public content, can be sent over HTTP The content contains little information  Google logo The content which is the same for all users  Javascript files  Private content, must be sent over HTTPS The content contains personal information  User name, password, etc. 14

Solution Classify the Web Content 15

Solution Employ checksums to prevent tampering of data  Checksums prevent Man in the Middle Attacks compromising the unsecure data  Send checksums over HTTPS channel  Key insight: Checksums are much smaller than data, sending checksum over HTTPS incurs minimal costs 16

Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works 17

QoS2 Architecture 18

QoS2 Architecture Server Side  Tags content as either private or public Tags determine which content is sent over HTTP or HTTPS.  Calculates and maintains a checksum for each content that is tagged as public Checksums enable verification of an object’s integrity.  Maintains two connections with every client A secure connection (over HTTPS) and an unsecure one (over HTTP). The server uses the secure connection to transfer the checksums. This ensures that the checksums are not tampered with. 19

QoS2 Architecture Client Side  Uses the checksum to verify the integrity of unencrypted data 20

Outline Introduction Challenges Solution QoS2 Architecture Validation Evaluation Future works 21

Validation The time to calculate checksum  Pre-calculated Eliminate latency overheads Result in stale checksums  Calculated on-demand Guarantee freshness Incur latency overheads Our choice: Pre-calculated 22

Validation Do object change frequently?  If yes – Pre-calculating checksum makes no sense, we have to calculate it almost every time retrieving the data  If no – Pre-calculation is reasonable Experiment setup  30 days  135 javascript files 23

Validation 24

Validation 25

Validation Result  Most objects rarely change, only 6 out of the 135 objects examined changed (less than 5%)  For those that do change, we observe that they in-fact change very frequently with approximately 50% of them changing everyday For most objects, pre-calculation is reasonable 26

Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works 27

Evaluation Experiment Setup  We compare the load time for varying latencies to the origin server and potential proxies.  The public and private are each hosted on a 2.00 GHz server with 16 GB of RAM  The web servers and the browsing client are all interconnected through a 1G Local Area Network  Latencies follow distribution from Pings to Alexa Top 100 servers. We set the latency at three points: 10%, median and 95% Linux tc command 28

Evaluation 29

Evaluation Gain at least a 20% performance improvement in low latency networks and as much as 70% in high latency networks The improvements are function of both the dependencies between objects and the size of the public objects 30

Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works 31

Future works Enhance the Nginx and Apache platforms to support QoS2 Implement checksum verification in a browser Enhance the protocol to disambiguate between stale checksums and attacks on the HTTP channel Compare with QUIC protocol 32

Thank you! Questions? 33