|
SSL splitting: securely serving data from untrusted caches
Chris Lesniewski-Laas and M. Frans Kaashoek
Journal of Computer Networks,
volume 48 (5) pages 763-779,
Elsevier, August 2005
Abstract
A popular technique for reducing the bandwidth load on Web servers is to serve
the content from proxies. Typically these hosts are trusted by the clients and
server not to modify the data that they proxy. SSL splitting is a new technique
for guaranteeing the integrity of data served from proxies without requiring
changes to Web clients. Instead of relaying an insecure HTTP connection, an SSL
splitting proxy simulates a normal Secure Sockets Layer (SSL) connection with
the client by merging authentication records from the server with data records
from a cache. This technique reduces the bandwidth load on the server, while
allowing an unmodified Web browser to verify that the data served from proxies
is endorsed by the originating server. SSL splitting is implemented as a patch
to the industry-standard OpenSSL library, with which the server is linked. In
experiments replaying two-hour access.log traces taken from LCS Web
sites over an ADSL link, SSL splitting reduces bandwidth consumption of the
server by between 25% and 90% depending on the warmth of the cache and the
redundancy of the trace. Uncached requests forwarded through the proxy exhibit
latencies within approximately 5% of those of an unmodified SSL server.
|
|
