Abstract:
SSL splitting: securely serving data from untrusted caches A popular technique for reducing the bandwidth load on Web servers is to serve the content from proxies. Typically these hosts are trusted by the clients and server not to modify the data that they proxy. SSL splitting is a new technique for guaranteeing the integrity of data served from proxies without requiring changes to Web clients. Instead of relaying an insecure HTTP connection, an SSL splitting proxy simulates a normal Secure Sockets Layer (SSL) [7] connection with the client by merging authentication records from the server with data records from a cache. This technique reduces the bandwidth load on the server, while allowing an unmodified Web browser to verify that the data served from proxies is endorsed by the originating server. SSL splitting is implemented as a patch to the industry-standard OpenSSL library, with which the server is linked. In experiments replaying two-hour access.log traces taken from LCS Web sites over an ADSL link, SSL splitting reduces bandwidth consumption of the server by between 25 % and 90 % depending on the warmth of the cache and the redundancy of the trace. Uncached requests forwarded through the proxy exhibit latencies within approximately 5 % of those of an unmodified SSL server. 1
Citations
|
652
|
Freenet: A Distributed Anonymous Information Storage and Retrieval System
– Clarke, Sandberg, et al.
- 2000
|
|
643
|
Oceanstore: An architecture for global-scale persistent storage
– Kubiatowicz, Bindel, et al.
- 2000
|
|
581
|
Wide-area cooperative storage with CFS
– Dabek, Kaashoek, et al.
- 2001
|
|
452
|
Storage management and caching in PAST, a large-scale, persistent peer-to-peer storage utility
– Rowstron, Druschel
- 2001
|
|
359
|
Overcast: Reliable Multicasting with an Overlay Network
– Jannotti, Gifford, et al.
- 2000
|
|
191
|
Peer-to-Peer: Harnessing the Power of Disruptive Technologies, chapter 8 and 2. Edited by Andy Oram
– Oram, O’Reilly
- 2001
|
|
119
|
Fast and secure distributed read-only file system
– Fu, Kaashoek, et al.
- 2000
|
|
104
|
Squirrel: A decentralized, peer-to-peer web cache
– Iyer, Rowstron, et al.
- 2002
|
|
103
|
On the Use and Performance of Content Distribution Networks
– Krishnamurthy, Wills, et al.
- 2001
|
|
76
|
The Secure HyperText Transfer Protocol", RFC 2660
– Rescorla, Schiffman
- 1999
|
|
61
|
Web caching with consistent hashing
– Karger, Sherman, et al.
- 1999
|
|
44
|
The ssl protocol version 3.0. Internet Draft
– Freier, Karlton, et al.
- 1996
|
|
32
|
Squid Internet object cache. http://squid.nlanr.net/Squid
– Wessels
- 1998
|
|
19
|
Data Staging on Untrusted Surrogates
– FLINN, SINNAMOHIDEEN, et al.
- 2003
|
|
16
|
M: Internet X.509 public key infrastructure (PKI) proxy certificate profile
– Tuecke, Welch, et al.
|
|
5
|
Fast-Track Session Establishment for TLS
– Shacham, Boneh
- 2002
|
|
2
|
Known CN request-routing mechanisms. draftietf-cdi-known-request-routing-02.txt, Network Working Group
– CAIN, BARBIR, et al.
- 2002
|
|
2
|
The TLS protocol version 1.1. draft-ietf-tls-rfc2246-bis-04.txt, Network Working Group
– DIERKS, RESCORLA
- 2003
|
|
2
|
MySQL database server. http:// www.mysql.com
– AB
- 2007
|
|
2
|
HTTP over TLS. RFC 2818, Network Working Group
– RESCORLA
- 2000
|
|
1
|
The design and implementation of WASP: a wide-area secure proxy
– MODADUGU, GOH
- 2002
|
|
1
|
software packaging tool. http://www.rpm.org
– RPM
|
