HTTPi for Practical End-to-End Web Content Integrity
نویسندگان
چکیده
Widespread growth of open wireless hotspots has made it easy to carry out man-in-the-middle attacks and impersonate web sites. Although HTTPS can be used to prevent such attacks, its universal adoption is hindered by its performance cost and its inability to leverage caching at intermediate servers (such as CDN servers and caching proxies) while maintaining end-to-end security. To complement HTTPS, we revive an old idea from SHTTP, a protocol that offers end-to-end web integrity without confidentiality. We name the protocol HTTPi and give it an efficient design that is easy to deploy for today’s web. In particular, we tackle several previously-unidentified challenges, such as supporting progressive page loading on the client’s browser, handling mixed content, and defining access control policies among HTTP, HTTPi, and HTTPS content from the same domain. Our prototyping and evaluation experience show that HTTPi incurs negligible performance overhead over HTTP, can leverage existing web infrastructure such as CDNs or caching proxies without any modifications to them, and can make many of the mixed-content problems in existing HTTPS web sites easily go away. Based on this experience, we advocate browser and web server vendors to adopt HTTPi.
منابع مشابه
HTTP Integrity: A Lite and Secure Web against World Wide Woes
While there is no guarantee of HTTP page integrity, this issue is left unaddressed in discussions of web security. Though HTTPS can be used to solve the HTTP page integrity problem, HTTPS is shunned by web communities due to the performance overheads caused by TLS. Worse yet, HTTPS inherently breaks the distributed nature of the web by disallowing caching. The end-toend security guarantee of HT...
متن کاملHTTPI Based Web Service Security over SOAP
Now a days, a new family of web applications 'open applications’, are emerging (e.g., Social Networking, News and Blogging). Generally, these open applications are non-confidential. The security needs of these applications are only client/server authentication and data integrity. For securing these open applications, effectively and efficiently, HTTPI, a new transport protocol is proposed, whic...
متن کاملAdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements
Web publishers frequently integrate third-party advertisements into web pages that also contain sensitive publisher data and end-user personal data. This practice exposes sensitive page content to confidentiality and integrity attacks launched by advertisements. In this paper, we propose a novel framework for addressing security threats posed by third-party advertisements. The heart of our fram...
متن کاملPermutation of Httpi and HTTPS in Web Services against Attacks for Security enhancement
The Hyper Text Transfer Protocol (HTTP) protocol plays a vital role in Web Services Security. Though the HTTPs provide excellent security, they are not flexible enough to allow caches. HTTPi provides high integrity and low security whereas HTTPs provide low integrity and high security. The goal of WS activity is to build up set of technologies in order to direct WS to their complete prospective...
متن کاملA Secure, Publisher-Centric Web Caching Infrastructure
The current Web cache infrastructure, though it has a number of performance benefits, does not address many of the publishers’ requirements. We argue that web caches should be enhanced to address publishers’ needs. For example, caches will need to log client accesses, run scripts to dynamically produce content, and give publishers QoS guarantees. In this paper, we propose Gemini, a publishercen...
متن کامل