Low-cost SSL proxy could bring cheaper, faster security; defeat threats like Firesheep
Network World - Researchers have found a cheaper, faster way to process SSL/TLS with off-the-shelf hardware, a development that could let more Web sites shut down cyber threats posed by the likes of the Firesheep hijacking tool.
The technology, dubbed SSLShading, shows how SSL proxies based on commodity hardware can protect Web servers without slowing down transactions, according to a presentation scheduled at the USENIX Symposium on Networked Design and Implementation in Boston March 30 through April 1.
SSL/TLS -- the cryptographic protocols used to protect online Web transactions -- encrypts traffic from visitors' machines all the way to Web servers. That makes it impossible to pick up data such as session cookies by preying on unencrypted wireless networks, which is what Firesheep does.
Based on an algorithm devised by researchers in Korea and the U.S., SSLShading is software that directs SSL traffic being proxied either to a CPU or a graphics processing unit (GPU), whichever is most appropriate to handle the current load. The researchers will discuss the algorithm in their paper "SSLShader: Cheap SSL Acceleration with Commodity Processors."
FOR MORE ON ALGORITHMS: 15 genius algorithms that aren't boring
"The key idea is to send all requests to CPU when the number of pending cryptographic operations is small enough to be handled by CPU," the research team says in an earlier paper. "If requests begin to pile up in the queue, then the algorithm offloads cryptographic operations to GPUs and benefits from parallel execution for high throughput."
SSL transactions per second (TPS) using just the CPU on the test servers totaled 3,632 in one experiment, the researchers stated. Using the proxy GPU and their algorithm yielded 18,482 TPS. The group used an Intel Xeon X5550 CPU ($260) with four cores and an NVIDIA GTX 480 graphic card with 480 cores.
SSLShader still has some shortcomings, the most notable of which is that he GPU processing works well for transactions under 1MB, but for larger transactions, the CPU works better because of the overhead of copying when the proxy is in place, according to the researcher's overview of SSLShader.
The researchers say they plan to make their software available, but didn't say when. The team consists of Keon Jang, Sangjin Han, Sue Moon and KyoungSoo Park, all of KAIST in Korea, and Seungyeop Han of the University of Washington.
One of the traditional obstacles to using SSL to protect Web sites is the extra processing demand and its associated costs, says John Pironti, president of IP Architects, a security consulting firm, and the security track chairman for Interop. "The infrastructure costs to enable SSL can be challenging," he says, depending on the size and complexity of the deployment.
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- Evaluating File Sync and Share Solutions: 12 Questions to Ask about Security File sync and share can increase productivity, but how do you pick a solution that works for you? Download to learn some important...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!