Website Security: HTTPA over HTTPS

Hypertext Transfer Protocol Secure (HTTPS) is quickly becoming a more popular internet protocol than HTTP for website and application connections. While HTTPS is fast and secure, it must execute code in a trusted execution environment (TEE).

Intel staffers Gordon King and Hans Wang have proposed a new protocol called HTTPS-Attestable (HTTPA) that will improve on HTTPS by eliminating the requirement for a TEE on the client side. King and Wang describe HTTPA in a paper distributed through ArXiv in October 2021.

HTTPS

HTTPS is an extension of HTTP that’s widely used for secure communication over a network, especially the internet. It originally used Secure Sockets Layer (SSL) to encrypt data, although it now uses Transport Layer Security (TLS). HTTPS is therefore also known as HTTP over TLS or HTTP over SSL. The general purposes of HTTPS are to authenticate websites that the user accesses and protect the privacy of the exchanged data while it’s in transit between client and server. Specifically, HTTPS uses bidirectional encryption to protect communications from eavesdropping and tampering, including man-in-the-middle attacks.

HTTPS requires a trusted third party to sign digital certificates on the server side, which has historically been an expensive operation. As a result, HTTPS has been used mostly on secured corporate information systems like payment transaction services. However, a partnership between the Electronic Frontier Foundation and web browser developers successfully campaigned to increase HTTPS’s prevalence in 2016. Within five years, websites were using HTTPS more often than HTTP, especially for protecting page authenticity.

HTTPA

HTTPA uses remote attestation to improve on the security of HTTPS. This technique provides applications with assurance that trusted software in a server-side TEE is handling the data through the use of certificates or cryptographic methods. HTTPA ensures that the expected code is running and that it hasn’t been modified by an administrator, process or tool, all of which are possible sources of malicious actions.

A TEE is an area of memory that allows an application to perform computations on sensitive data. ARM and Intel both offer hardware-based TEEs, TrustZone and Software Guard Extension (SGX) respectively. King and Wang note in their paper that SGX provides in-memory encryption, which helps protect runtime computations by reducing the risk of modifications and leaking of sensitive data. HTTPA also uses remote attestation to protect vendor identity, verification identity and trusted computing base (TCB) identity.

Benefits

The primary benefit of HTTPA is that performing computations on server-side TEEs and providing web clients with verification that this was done increases the security of web services. Clients currently have no way of verifying that a server hasn’t been hijacked, leaving open the possibility that its data has been maliciously modified.

HTTPA also allows web services to confirm that the client’s workload is running inside a TEE with protected code. However, HTTPA only protects the application, not the server itself. In addition, it involves extending the HTTPS handshake to include the attestation, consisting of the HTTP request and response for the preflight, attest and trusted sessions.

HTTPA is a general solution for standardizing attestation over HTTPS. It also protects and manages requested data for HTTP domains by establishing multiple trusted connections. In addition, HTTPA leverages HTTPS, making it less complex than other approaches to improving the security of HTTPS.

 

SSL flickr photo by EpicTop10.com shared under a Creative Commons (BY) license