Low-cost SSL proxy could bring cheaper, faster security; defeat threats like Firesheep

Researchers have found a cheaper, faster way to process SSL/TLS with off-the-shelf hardware, a development that could let more Web sites shut down cyber threats posed by the likes of the Firesheep hijacking tool.

The technology, dubbed SSLShading, shows how SSL proxies based on commodity hardware can protect Web servers without slowing down transactions, according to a presentation scheduled at the USENIX Symposium on Networked Design and Implementation in Boston March 30 through April 1.

SSL/TLS -- the cryptographic protocols used to protect online Web transactions -- encrypts traffic from visitors' machines all the way to Web servers. That makes it impossible to pick up data such as session cookies by preying on unencrypted wireless networks, which is what Firesheep does.

Based on an algorithm devised by researchers in Korea and the U.S., SSLShading is software that directs SSL traffic being proxied either to a CPU or a graphics processing unit (GPU), whichever is most appropriate to handle the current load. The researchers will discuss the algorithm in their paper "SSLShader: Cheap SSL Acceleration with Commodity Processors."

FOR MORE ON ALGORITHMS: 15 genius algorithms that aren't boring

"The key idea is to send all requests to CPU when the number of pending cryptographic operations is small enough to be handled by CPU," the research team says in an earlier paper. "If requests begin to pile up in the queue, then the algorithm offloads cryptographic operations to GPUs and benefits from parallel execution for high throughput."

SSL transactions per second (TPS) using just the CPU on the test servers totaled 3,632 in one experiment, the researchers stated. Using the proxy GPU and their algorithm yielded 18,482 TPS. The group used an Intel Xeon X5550 CPU ($260) with four cores and an NVIDIA GTX 480 graphic card with 480 cores.

SSLShader still has some shortcomings, the most notable of which is that he GPU processing works well for transactions under 1MB, but for larger transactions, the CPU works better because of the overhead of copying when the proxy is in place, according to the researcher's overview of SSLShader.

Another problem is that the Linux kernel used on the server has a networking stack that doesn't scale well to take advantage of multiple CPU cores, the researchers say.

The researchers say they plan to make their software available, but didn't say when. The team consists of Keon Jang, Sangjin Han, Sue Moon and KyoungSoo Park, all of KAIST in Korea, and Seungyeop Han of the University of Washington.

One of the traditional obstacles to using SSL to protect Web sites is the extra processing demand and its associated costs, says John Pironti, president of IP Architects, a security consulting firm, and the security track chairman for Interop. "The infrastructure costs to enable SSL can be challenging," he says, depending on the size and complexity of the deployment.

As processors get more powerful and less expensive per cycle, cost isn't as much of an issue, he says, if the SSL is designed into the infrastructure at the start. "It's less costly than adding it on later," he says.

There are barriers to implementing SSL on sites other than the hardware costs and performance, says PayPal CISO Michael Barrett. All of PayPal's site content is SSL-protected, and getting there involved more than just processing. "It can cause quite a bit of pain from an application perspective," he says.

For instance, if an application assumes it always operates under unsecured HTTP, it will try to redirect browsers to HTTP. In order to fix the problem, businesses may have to recode the offending applications, he says. That can lead to inefficiencies if HTTP requests are made, and the site reroutes them rerouted to make them HTTPS (SSL/TLS), requiring more round trip communications that introduce delay.

The PayPal site uses the proposed Internet standard HTTP Strict Transport Security (STS), which declares to browsers that Web servers are to be interacted with via HTTPS. The browser remembers so the next time a request is sent to the same URL -- even if it's typed in as HTTP -- it will be sent as HTTPS. So far versions of Firefox and Google Chrome browsers support HTTP STS, and it can be deployed without a negative impact on end users whose browsers don't support it.

Another barrier to SSL is the need to enlist a certificate authority to handle encryption key authentication and to manage the certificates, Barrett says.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags firewallsNetworkingsecurityvpnSSL

More about GoogleIntelInteropISOLANLinuxPayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts