29

I just took two university courses on computer security and internet programming. I was thinking about this the other day:

Web cache proxy servers cache popular content from servers on the web. This is useful, for example, if your company has a 1 Gbps network connection internally (including a web cache proxy server), but only a 100 Mbps connection to the internet. The web cache proxy server can serve cached content much more quickly to other computers on the local network.

Now consider TLS-encrypted connections. Can encrypted content be cached in any useful way? There's a great initiative from letsencrypt.org aiming to make all internet traffic encrypted over SSL by default. They are doing this by making it really easy, automated, and free to obtain SSL certificates for your site (starting summer 2015). Considering current yearly costs for SSL certs, FREE is really attractive.

My question is: will HTTPS traffic eventually make web cache proxy servers obsolete? If so, what toll will this take on the load of global internet traffic?

ejsuncy
  • 393
  • 1
  • 4
  • 7
  • 5
    There is a trusted commercial company that has for some years offered free certs for a domain and one subdomain. While I very much appreciate the efforts of the Let's Encrypt project, especially how easy they want to make it, the good karma that I feel Startcom has generated should be recognized. – Paul Dec 25 '14 at 23:03
  • 1
    This question almost reads like an advertisement at the moment with the references to Let's Encrypt. – fukawi2 Jan 22 '15 at 04:25
  • @Paul StartCom sold out to WoSign, a company that has backdated certificates in violation of the Baseline Requirements. – Damian Yerrick Sep 12 '17 at 23:21
  • 1
    @DamianYerrick I am sorry I disappointed you with my lack of clairvoyance. (The comment was left before the discovery by Mozilla.) – Paul Sep 13 '17 at 01:19
  • Possible duplicate of [Is there any way to cache HTTPS requests in a proxy server?](https://serverfault.com/questions/350967/is-there-any-way-to-cache-https-requests-in-a-proxy-server) – Dan Dascalescu Aug 07 '18 at 22:55

3 Answers3

22

Yes, HTTPs will put a damper on network caching.

Specifically because caching HTTPs requires doing a man in the middle type attack - replacing the SSL certificate with that of the cache server. That certificate will have to be generated on the fly and signed by a local authority.

In a corporate environment you can make all PCs trust your cache server certificates. But other machines will give certificate errors - which they should. A malicious cache could modify the pages easily.

I suspect that sites that use large amounts of bandwidth like video streaming will still send content over regular HTTP specifically so it can be cached. But for many sites better security outweighs the increase in bandwidth.

Grant
  • 17,671
  • 14
  • 69
  • 101
  • 1
    MITM is a mechanism, not necessarily an attack. If it must be defined as an attack, countless companies are attacking their staff, with fake certs and bring them endless headaches with tools not using windows certificate store! – Ben Jun 10 '19 at 15:09
4

Even tough HTTPS traffic cannot be proxied in a strict sense ('cause, otherwise, the proxy software will act as a "man in the middle", that is exactly one of the reason SSL has been developed for, to avoid), it's important to remark that common software proxies (like SQUID), can correctly handle HTTPS connections.

This is possible thanks to the HTTP CONNECT METHOD, that SQUID correctly implement. In other words, for any HTTPS request that the proxy receive, it simply "relay" it, without any intervention at encapsuled, enncrypted traffic.

Even if at first this sounds useless, it allows to have local clients/browsers configured to point to a proxy and, at the same time, cut any forms of Internet connectivity.

So, back to your original question: "will HTTPS traffic eventually make web cache proxy servers obsolete?", my answer is:

  • YES: if you rely to a web proxy only in terms of caching;
  • NO: if you rely to a web proxy for things other than caching (eg: user authentication; URL-logging; etc.).

P.S.: a similar/major problem with HTTPS relates to name-based virtual-host multihoming, that is common in web-hosting solutions but.... gets complex when dealing with HTTPS sites (I'm not discussing in details, 'cause it's not strictly related to this question).

Damiano Verzulli
  • 3,948
  • 1
  • 20
  • 30
  • 2
    proxy can't do URL-logging of HTTPS since URLs are also encrypted (hostname might be unencrypted, if using SNI, but rest of URL is always encrypted) – Markus Laire Jan 27 '17 at 12:03
0

https defeats some sorts of security which was previously implemented in proxies. Consider that squid can intercept and replace a page with local content (a feature I use quite a lot). I used to catch the links from google searches and have my proxy redirect straight to the link, thus increasing my security by not divulging which links I (or anyone else on my local net who chose to use the proxy) followed to Google. By using https, Google has defeated this aspect of my security (which was, of course, a man in the middle attack). Now I would have to hack the browser code, which is way more effort... and isn't available to other users in the household unless they also, are happy to run locally hacked browsers.

geyrfugl
  • 1