httperf—a tool for measuring web server performance
ACM SIGMETRICS Performance Evaluation Review
On the scale and performance of cooperative Web proxy caching
Proceedings of the seventeenth ACM symposium on Operating systems principles
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Managing the Performance Impact of Web Security
Electronic Commerce Research
Merkle tree authentication of HTTP responses
WWW '05 Special interest tracks and posters of the 14th international conference on World Wide Web
Looking Back at the Bell-La Padula Model
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Protection and communication abstractions for web browsers in MashupOS
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Protecting browsers from dns rebinding attacks
Proceedings of the 14th ACM conference on Computer and communications security
Detecting in-flight page changes with web tripwires
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Securing frame communication in browsers
SS'08 Proceedings of the 17th conference on Security symposium
Reining in the web with content security policy
Proceedings of the 19th international conference on World wide web
On the Incoherencies in Web Browser Access Control Policies
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
The multi-principal OS construction of the gazelle web browser
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
iHTTP: efficient authentication of non-confidential HTTP traffic
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
GlassTube: a lightweight approach to web application integrity
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
Less pain, most of the gain: incrementally deployable ICN
Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
| Hi-index | 0.00 |
Widespread growth of open wireless hotspots has made it easy to carry out man-in-the-middle attacks and impersonate web sites. Although HTTPS can be used to prevent such attacks, its universal adoption is hindered by its performance cost and its inability to leverage caching at intermediate servers (such as CDN servers and caching proxies) while maintaining end-to-end security. To complement HTTPS, we revive an old idea from SHTTP, a protocol that offers end-to-end web integrity without confidentiality. We name the protocol HTTPi and give it an efficient design that is easy to deploy for today's web. In particular, we tackle several previously-unidentified challenges, such as supporting progressive page loading on the client's browser, handling mixed content, and defining access control policies among HTTP, HTTPi, and HTTPS content from the same domain. Our prototyping and evaluation experience show that HTTPi incurs negligible performance overhead over HTTP, can leverage existing web infrastructure such as CDNs or caching proxies without any modifications to them, and can make many of the mixed-content problems in existing HTTPS web sites easily go away. Based on this experience, we advocate browser and web server vendors to adopt HTTPi.