Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou [email protected] CS Dept.,...
-
Upload
jade-wilkinson -
Category
Documents
-
view
217 -
download
1
Transcript of Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou [email protected] CS Dept.,...
![Page 1: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/1.jpg)
Towards a Safe Towards a Safe Playground for HTTPS Playground for HTTPS and Middle-Boxes with and Middle-Boxes with
QoS2 QoS2 Zhenyu Zhou
CS Dept., Duke University
@Duke University@Duke UniversityMay, 2015
![Page 2: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/2.jpg)
Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works
2
![Page 3: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/3.jpg)
Introduction HTTPS
HTTP on top of SSL/TLS Safe – Prevailed nowadays
Over 50% traffic!
But does the “S” come for free?
3Image references from: https://www.hallaminternet.com/2015/migrating-website-http-https/
![Page 4: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/4.jpg)
Introduction Is the “S” free?
No!
Page Load Time (PLT) More RTTs for establishing connections Key exchange Decryption/Encryption
4Image references from: http://blogs.msdn.com/b/kaushal/archive/2013/08/03/ssl-handshake-and-https-bindings-on-iis.aspx
![Page 5: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/5.jpg)
Introduction
5
Ka Kb
Cache
Not Hit!!
Ka Kb
![Page 6: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/6.jpg)
Introduction All-or-nothing choice nowadays
HTTP – Quick, but not safe HTTPS – Safe, but not quick
Trade-off Make the Internet Quick and Of course Safe, Too
6
![Page 7: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/7.jpg)
Introduction Our overall goal
Short load time and low overhead Leverage the benefits of HTTP
Simple High efficiency
Security is not compromised Serve the objects via HTTPS
Ensure security
7
![Page 8: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/8.jpg)
Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works
8
![Page 9: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/9.jpg)
Challenges How to combine the two aspects of our goal together?
The straw man solution is trivial: deploy both of them at the same time
Why do some people not prefer mixed content? Man in the Middle Attacks Stripping Attacks
9
![Page 10: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/10.jpg)
Challenges Man in the Middle Attacks
Unsecure data can be hijacked and threats the secure part
10
![Page 11: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/11.jpg)
Challenges Stripping Attacks
11Image references from: https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
![Page 12: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/12.jpg)
Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works
12
![Page 13: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/13.jpg)
Solution Q: How to combine HTTP and HTTPS?
Key observations Not everything needs to be encrypted The data that indeed need to be encrypted may NOT need to be
cached HTTPS connections are not well utilized and may be harmful
HTTPS handshake can account for over 42% of data exchanged
Key idea Use HTTP for as many objects as possible
13
![Page 14: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/14.jpg)
Solution Classify the Web Content
Public content, can be sent over HTTP The content contains little information
Google logo
The content which is the same for all users Javascript files
Private content, must be sent over HTTPS The content contains personal information
User name, password, etc.
14
![Page 15: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/15.jpg)
Solution Classify the Web Content
15
![Page 16: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/16.jpg)
Solution Employ checksums to prevent tampering of data
Checksums prevent Man in the Middle Attacks compromising the unsecure data
Send checksums over HTTPS channel Key insight:
Checksums are much smaller than data, sending checksum over HTTPS incurs minimal costs
16
![Page 17: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/17.jpg)
Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works
17
![Page 18: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/18.jpg)
QoS2 Architecture
18
![Page 19: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/19.jpg)
QoS2 Architecture Server Side
Tags content as either private or public Tags determine which content is sent over HTTP or
HTTPS.
Calculates and maintains a checksum for each content that is tagged as public Checksums enable verification of an object’s integrity.
Maintains two connections with every client A secure connection (over HTTPS) and an unsecure one (over HTTP). The
server uses the secure connection to transfer the checksums. This ensures that the checksums are not tampered with.
19
![Page 20: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/20.jpg)
QoS2 Architecture Client Side
Uses the checksum to verify the integrity of unencrypted data
20
![Page 21: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/21.jpg)
Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works
27
![Page 22: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/22.jpg)
Evaluation Experiment Setup
We compare the load time for varying latencies to the origin server and potential proxies.
The public and private are each hosted on a 2.00 GHz server with 16 GB of RAM
The web servers and the browsing client are all interconnected through a 1G Local Area Network
Latencies follow distribution from Pings to Alexa Top 100 servers. We set the latency at three points: 10%, median and 95% Linux tc command
28
![Page 23: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/23.jpg)
Evaluation
29
![Page 24: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/24.jpg)
Evaluation Gain at least a 20% performance improvement in low
latency networks and as much as 70% in high latency networks
The improvements are function of both the dependencies between objects and the size of the public objects
30
![Page 25: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/25.jpg)
Outline Introduction Challenges Solution QoS2 Architecture Evaluation Future works
31
![Page 26: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/26.jpg)
Future works Enhance the Nginx and Apache platforms to support
QoS2
Implement checksum verification in a browser
Enhance the protocol to disambiguate between stale
checksums and attacks on the HTTP channel
Compare with QUIC protocol
32
![Page 27: Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou zzy@cs.duke.edu CS Dept., Duke University @Duke University @Duke University.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e2a5503460f94b18a1d/html5/thumbnails/27.jpg)
Thank you!
Questions?
33