When HTTPS Meets CDN: A Case of Authentication in Delegated Service

Liang, Jie; Jiang, Jingjie; Duan, Haixin; Li, Kang; Wan, Tao; Wu, Jianping

doi:10.1109/sp.2014.12

Cited by 93 publications

(74 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In Figure 1 we present the usage distribution of commercial CDN providers among the 32K most popular websites (according to Alexa website-popularity rank [5]). 1 Line 1 of Figure 1 confirms earlier studies [24], [27]: most websites do not use CDNs, and furthermore, use of CDN declines for less-popular sites (from the 2000 place onwards). Note that larger organizations often use their own infrastructure instead of an external CDN provider.…”

Section: Cdn Popularitysupporting

confidence: 83%

“…In particular, the CDN market is dominated by a few providers [24], [27], resulting in a less-competitive market and hence higher costs. To distribute content in face of strong DoS attacks, CDNon-Demand deploys proxy servers on multiple Infrastructureas-a-Service (IaaS) cloud providers, optimizing resource use to minimize expenses.…”

Section: Cdn Popularitymentioning

confidence: 99%

“…In order to securely use such less expensive -and less trusted -providers, CDN-on-Demand does not require entrusting providers with the website's private key or certificate. This also solves an important concern with CDNs [24]. We achieve this property by protecting the website content, delivered to clients from CDN-on-Demand, using a novel clientless secure-objects mechanism.…”

Section: Cdn Popularitymentioning

confidence: 99%

“…Currently, the only contentsecurity mechanism available using standard web clients is HTTPS (i.e., SSL/TLS), securing the communication channel between clients and proxies, but leaving the proxy with complete access to the content. Furthermore, Liang et al [24] show that there are currently two options to support HTTPS connections using CDNs, both problematic. In the first option, the website shares its private key with the CDN; this presents challenges, for example when the website decides to switch to another CDN provider.…”

Section: Cdn Popularitymentioning

confidence: 99%

See 3 more Smart Citations

CDN-on-Demand: An Affordable DDoS Defense via Untrusted Clouds

Gilad

Herzberg

Sudkovitch³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-We present CDN-on-Demand, a software-based defense that administrators of small to medium websites install to resist powerful DDoS attacks, with a fraction of the cost of comparable commercial CDN services. Upon excessive load, CDNon-Demand serves clients from a scalable set of proxies that it automatically deploys on multiple IaaS cloud providers. CDN-onDemand can use less expensive and less trusted clouds to minimize costs. This is facilitated by the clientless secure-objects, which is a new mechanism we present. This mechanism avoids trusting the hosts with private keys or user-data, yet does not require installing new client programs. CDN-on-Demand also introduces the origin-connectivity mechanism, which ensures that essential communication with the content-origin is possible, even in case of severe DoS attacks.A critical feature of CDN-on-Demand is in facilitating easy deployment. We introduce the origin-gateway module, which deploys CDN-on-Demand automatically and transparently, i.e., without introducing changes to web-server configuration or website content. We implement CDN-on-Demand and evaluate each component separately as well as the complete system.

show abstract

Section: Cdn Popularitysupporting

confidence: 83%

Section: Cdn Popularitymentioning

confidence: 99%

Section: Cdn Popularitymentioning

confidence: 99%

Section: Cdn Popularitymentioning

confidence: 99%

See 2 more Smart Citations

CDN-on-Demand: An Affordable DDoS Defense via Untrusted Clouds

Gilad

Herzberg

Sudkovitch³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Other empirical studies of the TLS ecosystem have focused on certificate validation libraries [66], non-browser TLS libraries [67], the interaction of HTTPS with content-delivery networks [68], and TLS implementations in Android apps [69], [70]. Again, these efforts all found widespread weaknesses.…”

Section: B Empirical Studies Of Https and Tlsmentioning

confidence: 99%

Upgrading HTTPS in mid-air: An Empirical Study of Strict Transport Security and Key Pinning

Kranch

Bonneau

2015

Proceedings 2015 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-We have conducted the first in-depth empirical study of two important new web security features: strict transport security (HSTS) and public-key pinning. Both have been added to the web platform to harden HTTPS, the prevailing standard for secure web browsing. While HSTS is further along, both features still have very limited deployment at a few large websites and a long tail of small, security-conscious sites. We find evidence that many developers do not completely understand these features, with a substantial portion using them in invalid or illogical ways. The majority of sites we observed trying to set an HSTS header did so with basic errors that significantly undermine the security this feature is meant to provide. We also identify several subtle but important new pitfalls in deploying these features in practice. For example, the majority of pinned domains undermined the security benefits by loading non-pinned resources with the ability to hijack the page. A substantial portion of HSTS domains and nearly all pinned domains leaked cookie values, including login cookies, due to the poorly-understood interaction between HTTP cookies and the same-origin policy. Our findings highlight that the web platform, as well as modern web sites, are large and complicated enough to make even conceptually simple security upgrades challenging to deploy in practice.

show abstract

Public-Key Certificate Management and Use Cases

Oorschot

2020

Information Security and Cryptography

View full text Add to dashboard Cite

When HTTPS Meets CDN: A Case of Authentication in Delegated Service

Cited by 93 publications

References 24 publications

CDN-on-Demand: An Affordable DDoS Defense via Untrusted Clouds

CDN-on-Demand: An Affordable DDoS Defense via Untrusted Clouds

Upgrading HTTPS in mid-air: An Empirical Study of Strict Transport Security and Key Pinning

Public-Key Certificate Management and Use Cases

Contact Info

Product

Resources

About