E. Stark, L.S. Huang, D. Israni, C. Jackson, D. Boneh
Citation
E. Stark, L.S. Huang, D. Israni, C. Jackson, D. Boneh. "The case for prefetching and prevalidating TLS server certificates". To appear in Proceedings of Network & Distributed System Security (NDSS), 2012.
Abstract
A key bottleneck in a full TLS handshake is the need to fetch and validate the server certificate before a secure connection can be established. We propose a mechanism by which a browser can prefetch and prevalidate server certificates so that by the time the user clicks on an HTTPS link the server's certificate is immediately ready to be used to setup a TLS session. Combining this with a recent proposal called Snap Start reduces the TLS handshake to zero round trips so that an HTTP request can be sent over HTTPS immediately upon request. Prefetching and prevalidating certificates improves web security by making it less costly for websites to enable TLS and by removing time pressure from the certificate validation process.
We implemented prefetching and prevalidation in the open-source browser Chromium, and performed extensive experiments to study the effects of four different prefetching strategies on server performance. Along the way we conducted a study of a popular certificate validation mechanism called OCSP and report on the performance and characteristics of common OCSP responders in the wild. The OCSP data collected, which is of independent interest, enabled us to evaluate the effectiveness of prefetching and prevalidating in reducing TLS handshake latency. We show a factor of four speed-up over the standard TLS handshake.
Electronic downloads
- ssl-prefetch.pdf · application/pdf · 379 kbytes
| Citation formats |
- HTML
E. Stark, L.S. Huang, D. Israni, C. Jackson, D. Boneh. <a href="http://www.truststc.org/pubs/842.html" >The case for prefetching and prevalidating TLS server certificates</a>, To appear in Proceedings of Network & Distributed System Security (NDSS), 2012.
- Plain text
E. Stark, L.S. Huang, D. Israni, C. Jackson, D. Boneh. "The case for prefetching and prevalidating TLS server certificates". To appear in Proceedings of Network & Distributed System Security (NDSS), 2012.
- BibTeX
@inproceedings{StarkHuangIsraniJacksonBoneh12_CaseForPrefetchingPrevalidatingTLSServerCertificates, author = {E. Stark and L.S. Huang and D. Israni and C. Jackson and D. Boneh}, title = {The case for prefetching and prevalidating TLS server certificates}, booktitle = {To appear in Proceedings of Network \& Distributed System Security (NDSS)}, year = {2012}, abstract = {A key bottleneck in a full TLS handshake is the need to fetch and validate the server certificate before a secure connection can be established. We propose a mechanism by which a browser can prefetch and prevalidate server certificates so that by the time the user clicks on an HTTPS link the server's certificate is immediately ready to be used to setup a TLS session. Combining this with a recent proposal called Snap Start reduces the TLS handshake to zero round trips so that an HTTP request can be sent over HTTPS immediately upon request. Prefetching and prevalidating certificates improves web security by making it less costly for websites to enable TLS and by removing time pressure from the certificate validation process. <p> We implemented prefetching and prevalidation in the open-source browser Chromium, and performed extensive experiments to study the effects of four different prefetching strategies on server performance. Along the way we conducted a study of a popular certificate validation mechanism called OCSP and report on the performance and characteristics of common OCSP responders in the wild. The OCSP data collected, which is of independent interest, enabled us to evaluate the effectiveness of prefetching and prevalidating in reducing TLS handshake latency. We show a factor of four speed-up over the standard TLS handshake. }, URL = {http://www.truststc.org/pubs/842.html} }
Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.