Paper Info
Title
Practical end-to-end web content integrity
Abstract
Widespread growth of open wireless hotspots has made it easy to carry out man-in-the-middle attacks and impersonate web sites. Although HTTPS can be used to prevent such attacks, its universal adoption is hindered by its performance cost and its inability to leverage caching at intermediate servers (such as CDN servers and caching proxies) while maintaining end-to-end security. To complement HTTPS, we revive an old idea from SHTTP, a protocol that offers end-to-end web integrity without confidentiality. We name the protocol HTTPi and give it an efficient design that is easy to deploy for today's web. In particular, we tackle several previously-unidentified challenges, such as supporting progressive page loading on the client's browser, handling mixed content, and defining access control policies among HTTP, HTTPi, and HTTPS content from the same domain. Our prototyping and evaluation experience show that HTTPi incurs negligible performance overhead over HTTP, can leverage existing web infrastructure such as CDNs or caching proxies without any modifications to them, and can make many of the mixed-content problems in existing HTTPS web sites easily go away. Based on this experience, we advocate browser and web server vendors to adopt HTTPi.
Year
DOI
Venue
2012
10.1145/2187836.2187926
WWW
Keywords
Field
DocType
protocol httpi,impersonate web site,caching proxy,mixed content,end-to-end security,web site,web server vendor,practical end-to-end web content,end-to-end web integrity,evaluation experience show,existing web infrastructure,man in the middle attack,web security
Web development,XMLHttpRequest,Web API,World Wide Web,Computer science,Computer security,Server,Web application security,Web service,Web content,Web server
Conference
Citations 
PageRank 
References 
5
0.57
15
Authors
5
Name
Order
Citations
PageRank
Kapil Singh124514.63
Helen J. Wang23387250.48
Alex Moshchuk382760.52
Collin Jackson4121294.00
Wenke Lee59351628.83