Can a proxy server cache SSL GETs? If not, would response body encryption suffice?

H

4

32

Can a (||any) proxy server cache content that is requested by a client over https? As the proxy server can't see the querystring, or the http headers, I reckon they can't.

I'm considering a desktop application, run by a number of people behind their companies proxy. This application may access services across the internet and I'd like to take advantage of the in-built internet caching infrastructure for 'reads'. If the caching proxy servers can't cache SSL delivered content, would simply encrypting the content of a response be a viable option?

I am considering all GET requests that we wish to be cachable be requested over http with the body encrypted using asymmetric encryption, where each client has the decryption key. Anytime we wish to perform a GET that is not cachable, or a POST operation, it will be performed over SSL.

Heliogabalus answered 18/8, 2008 at 14:6 Comment(1)

As of 2018, the most effective solution for caching assets served over HTTPS is to use a service worker. Libraries like Workbox make it easy to manage caches. – Italian 7/8, 2018 at 22:52

K

24

No, it's not possible to cache https directly. The whole communication between the client and the server is encrypted. A proxy sits between the server and the client, in order to cache it, you need to be able to read it, ie decrypt the encryption.

You can do something to cache it. You basically do the SSL on your proxy, intercepting the SSL sent to the client. Basically the data is encrypted between the client and your proxy, it's decrypted, read and cached, and the data is encrypted and sent on the server. The reply from the server is likewise descrypted, read and encrypted. I'm not sure how you do this on major proxy software (like squid), but it is possible.

The only problem with this approach is that the proxy will have to use a self signed cert to encrypt it to the client. The client will be able to tell that a proxy in the middle has read the data, since the certificate will not be from the original site.

Kratzer answered 18/8, 2008 at 14:24 Comment(2)

Is there any way to make 2 https requests byte equal so that a proxy server can return a cached response? – Pernod 21/6, 2017 at 4:42

The TLS encrypted tunnel prevents you from seeing HTTP headers, which means you cannot distinguish individual responses. So basically even byte-perfect packets cannot be cached – Gotthelf 19/4, 2018 at 5:53

M

28

The comment by Rory that the proxy would have to use a self-signed cert if not stricltly true.

The proxy could be implemented to generate a new cert for each new SSL host it is asked to deal with and sign it with a common root cert. In the OP's scenario of a corportate environment the common signing cert can rather easily be installed as a trusted CA on the client machines and they will gladly accept these "faked" SSL certs for the traffic being proxied as there will be no hostname mismatch.

In fact this is exactly how software such as the Charles Web Debugging Proxy allow for inspection of SSL traffic without causing security errors in the browser, etc.

Motorcycle answered 23/8, 2008 at 0:19 Comment(3)

I'd be quite perturbed to find this in any environment other than test; hopefully this is illegal in most countries due to the can of worms it would open - e.g. if the CFO is checking company bank accounts via a web portal, they'd likely be unhappy to know that IT could sniff the interaction. – Dust 10/3, 2016 at 18:22

@Phil It's basically what reverse proxy providers are doing. Just because the connection you made to the website (reverse proxy) is secure doesn't mean your data is traveling encrypted all the way through to the endpoint. – Mondragon 9/12, 2016 at 1:15

@J.Money Yes, but the question is specifically about connection from a browser within network A connecting via a proxy to server B. What server B does after that is a completely separate issue, and even end-to-end encryption with mutual authentication doesn't guarantee exchanged data is used responsibly/legally/as-intended – Dust 9/12, 2016 at 13:30

K

24

No, it's not possible to cache https directly. The whole communication between the client and the server is encrypted. A proxy sits between the server and the client, in order to cache it, you need to be able to read it, ie decrypt the encryption.

You can do something to cache it. You basically do the SSL on your proxy, intercepting the SSL sent to the client. Basically the data is encrypted between the client and your proxy, it's decrypted, read and cached, and the data is encrypted and sent on the server. The reply from the server is likewise descrypted, read and encrypted. I'm not sure how you do this on major proxy software (like squid), but it is possible.

The only problem with this approach is that the proxy will have to use a self signed cert to encrypt it to the client. The client will be able to tell that a proxy in the middle has read the data, since the certificate will not be from the original site.

Kratzer answered 18/8, 2008 at 14:24 Comment(2)

Is there any way to make 2 https requests byte equal so that a proxy server can return a cached response? – Pernod 21/6, 2017 at 4:42

The TLS encrypted tunnel prevents you from seeing HTTP headers, which means you cannot distinguish individual responses. So basically even byte-perfect packets cannot be cached – Gotthelf 19/4, 2018 at 5:53

A

1

I think you should just use SSL and rely on an HTTP client library that does caching (Ex: WinInet on windows). It's hard to imagine that the benefits of enterprise wide caching is worth the pain of writing a custom security encryption scheme or certificate fun on the proxy. Worse, on the encryption scheme you mention, doing asymmetric ciphers on the entity body sounds like a huge perf hit on the server side of your application; there is a reason that SSL uses symmetric ciphers for the actual payload of the connection.

Anaclitic answered 23/8, 2008 at 1:1 Comment(0)

F

0

How about setting up a server cache on the application server behind the component that encrypts https responses? This can be useful if you have a reverse-proxy setup.

I am thinking of something like this:

application server <---> Squid or Varnish (cache) <---> Apache (performs SSL encryption)

Frustule answered 18/5, 2010 at 21:26 Comment(0)

Recommended topics

Hot tags