Idea for making SSL more efficient [summary]

[Paul Johnston <paul () westpoint ltd uk>]

Hi,

Well this sure stirred things up! Most comments were negative towards 
the idea although a couple of people liked it.

The most common objection was that the server load issue could be solved 
using an SSL accelerator. While this does reduce the actual load, it 
does nothing about bandwidth - in principle my suggestion could reduce 
bandwidth. Although as MH pointed out, it would be wise to benchmark 
this before making any claims. Perhaps the browser's cache manages to 
save about 90% of image downloads, so there's little benefit to be had 
from ISP caches. HSJ pointed out that ideally HTTPS content should not 
make excessive use of inline images, although he didn't (IMO) justify 
this point of view.

Several people confirmed that this approach only protects integrity, not 
confidentiality or availability. (SSL protects both confidentiality and 
integrity, although not availability). A couple of people questioned the 
security of SSL itself, suggesting MITM attacks. While there may be some 
merit to these claims, I can't see something better than SSL coming 
along any time soon.

KS claimed this would require huge changes to browsers and proxy 
software. Absolutely it would require changes to browsers, but I don't 
think any changes to proxies. The browser fetches the image through the 
cache as normal. In the (very rare) case it doesn't match the checksum, 
it tries again with a "must revalidate" instruction. VS considered using 
img tags like this:

<img src="https://myserver/mypic.jpg"; supersrc="http://myserver/mypic.jpg"; hash="agqwe54">

but pointed out this would increase the page size. It would however, 
give a smooth changeover in that current browsers would just use https 
as normal, but browsers supporting this could use http with integrity check.

Several people pointed out that including the hashes would be hassle for 
the developers, and their time is generally expensive compared to 
hardware. Ultimately I think this is probably what kills the idea, 
although I point out that many web developers already have a system to 
automatically include width and height tags; these could be extended to 
do the hash tag.

In conclusion, I think benchmarking needs to be done before any claims 
can be made of this, and I don't have the time to do so. If browers did 
support it I image the feature would be used by some sites, but it's 
probably not enough of a win to get widespread adoption.

Thanks for all your input.

Best wishes,

Paul

--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk