Handbook of Applied Cryptography
Handbook of Applied Cryptography
Efficient Authentication and Signing of Multicast Streams over Lossy Channels
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Performance analysis of TLS Web servers
ACM Transactions on Computer Systems (TOCS)
Detecting in-flight page changes with web tripwires
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Proceedings of the 18th international conference on World wide web
ICICS'07 Proceedings of the 9th international conference on Information and communications security
Integrity of the web content: the case of online advertising
CollSec'10 Proceedings of the 2010 international conference on Collaborative methods for security and privacy
Practical end-to-end web content integrity
Proceedings of the 21st international conference on World Wide Web
Hi-index | 0.00 |
HTTPS is the standard protocol for protecting information sent over the World Wide Web. However, HTTPS adds substantial overhead to servers, clients, and networks [1, 2]. As a result, website owners often pass on HTTPS and resort to only HTTP for hosting websites, leaving clients and servers vulnerable to attacks [3, 4]. Techniques have been proposed to only enable authentication and integrity of HTTP (response) data [2, 5---7]. However, they all suffer from vulnerabilities and poor performance. In this paper, we propose iHTTP, a new approach for enabling lightweight, efficient authentication and verification of HTTP (response) data. We adaptively handle different data encodings to allow for better performance without effecting user experience. We introduce a novel technique, Sliding-Timestamps, to allow iHTTP clients to authenticate the freshness of response data to prevent replay attacks and amortize signing costs. We also introduce Opportunistic Hash Verification to reduce client public key operations required to authenticate full web pages. We show in our experimental evaluation that iHTTP provides similar performance to HTTP, and higher throughput and lower maximum response time than HTTPS and HTTPi, the most recent HTTP authentication approach [7], for Client-Static data.