12th USENIX Security Symposium Abstract
Pp. 187-200 of the Proceedings
SSL Splitting: Securely Serving Data from Untrusted Caches
Chris Lesniewski-Laas and M. Frans Kaashoek, Massachusetts Institute of Technology
A popular technique for reducing the bandwidth load on Web servers is
to serve the content from proxies. Typically these hosts are
trusted by the clients and server not to modify the data that they
proxy. SSL splitting is a new technique for guaranteeing the
integrity of data served from proxies without requiring changes to
Web clients. Instead of relaying an insecure HTTP connection, an
SSL splitting proxy simulates a normal Secure Sockets Layer
(SSL)  connection with the client by merging
authentication records from the server with data records from a cache.
This technique reduces the bandwidth load on the server, while
allowing an unmodified Web browser to verify that the data served from
proxies is endorsed by the originating server.
SSL splitting is implemented as a patch to the
industry-standard OpenSSL library, with which the server is
linked. In experiments replaying two-hour access.log traces
taken from LCS Web sites over an ADSL link, SSL splitting reduces
bandwidth consumption of the server by between 25% and 90% depending
on the warmth of the cache and the redundancy of the trace. Uncached
requests forwarded through the proxy exhibit latencies within
approximately 5% of those of an unmodified SSL server.
- View the full text of this paper in HTML and
Until August 2004, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2003 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.