the evolving architecture of the web
play

The Evolving Architecture of the Web Nick Sullivan Head of - PowerPoint PPT Presentation

Jun 29, 2023 •19 likes •789 views

The Evolving Architecture of the Web Nick Sullivan Head of Cryptography CFSSL Universal SSL Keyless SSL Privacy Pass Geo Key Manager Recently Standards work TLS 1.3 C on peting Goals make browsing more performant private HTTP DNS

  1. The Evolving Architecture of the Web Nick Sullivan

  2. Head of Cryptography CFSSL Universal SSL Keyless SSL Privacy Pass Geo Key Manager Recently Standards work TLS 1.3

  4. C on peting Goals make browsing more performant private

  5. HTTP DNS

  6. HTTP Client ISP Web Server Browser Static Content Operating System Cache HTTP

  7. DNS Authoritative 
 Client Resolver Server Browser Operating System DNS

  8. Hosts Clients

  9. Clients HTTP Hosts Geographically Centralized One IP per Hostname Administratively Diverse

  10. What a network observer can see Clients HTTP Unique Client IP Hosts Unique Server IP Server URL Website content

  11. Anonymity set 1 Client IP 1 Server IP

  12. IPv4 4.3 Billion Addresses Not enough for every user

  13. What a network observer can see Clients HTTP Client Proxy IP Hosts Unique Server IP Proxy Server URL Website content

  14. Latency Cost 3 round-the-world Tor 1 round-the-world VPN Small Carrier NAT

  15. Anonymity set k Client 1 Server

  16. New T rends

  17. Client ISP Host HTTPS Browser Operating System HTTPS

  18. Client ISP Host Browser Operating System TLS 1.2

  19. Client ISP Host Browser Operating System TLS 1.3: coming soon

  20. What a network observer can see Clients HTTP HTTPS Unique Client IP Hosts Unique Server IP Server URL Website content

  21. Anonymity set 1 Client 1 Server

  22. IPv4 4.3 Billion Addresses Not enough for every website

  23. Clients HTTP Hosts Geographically Centralized One IP per Hostname Administratively Diverse

  24. Clients HTTP HTTPS Hosts Shared Hosts More Geographically Centralized Multiple Hostname per IPs More Administratively Centralized

  25. SNI Virtual Hosting Send the hostname to the server so it can choose the certificate

  26. Source: Akamai

  27. What a network observer can see Clients HTTP HTTPS Client Unique IP Hosts Shared Server IP Shared Hosts Hostname

  28. Anonymity set 1 Client 1 Server (Shared IP+Hostname)

  29. Internet Scans and IPv6

  30. Privacy Evolves Certificate Transparency Wildcard certificates

  31. Edge S es vices

  32. Edge Services • Websites and are delegating to globally distributed parties • Authorized to terminate TLS • Reduced Latency • Improved DDoS resilience • Anycast to reduce number of IPs needed

  33. Clients HTTP HTTPS Hosts Shared Hosts More Geographically Centralized Multiple IPs per Hostname More Administratively Centralized

  34. Clients HTTP HTTPS Hosts Anycast Hosts Geographically Distributed Multiple IPs per Hostname Administratively Centralized

  35. Client ISP Host Edge Browser Operating System HTTPS

  36. Client ISP Edge Host Browser Operating System HTTPS

  37. Questi oo s Can we improve privacy ? Can we improve latency ? Can we improve both ???

  38. HTTP 1.1 Client Resolver Edge burrito.com SNI: burrito.com Browser beans.com SNI: beans.com Q: burrito.com A: 1.2.3.4 Operating System Q: beans.com A: 1.2.3.5

  39. Safety in Numb es s

  40. Meek Client Origin Edge burrito.com Host burrito.com beans.com SNI: burrito.com Browser Host Resolver Operating System Q: burrito.com A: 1.2.3.4

  41. Meek Client Origin Edge burrito.com Host burrito.com SNI: burrito.com beans.com GET https://beans.com Browser Host GET beans.com Resolver Operating System Q: burrito.com A: 1.2.3.4 Mismatch: SNI, Host, SAN

  42. HTTP/2 Client Resolver Edge SNI: burrito.com GET https://burrito.com burrito.com Browser beans.com GET https://beans.com Q: burrito.com A: 1.2.3.4 Operating System Q: beans.com A: 1.2.3.4 Connection Coalescing

  43. HTTP/2 Client Resolver Edge SNI: burrito.com 
 burrito.com GET https://burrito.com Browser beans.com ORIGIN: beans.com GET https://beans.com SNI: burrito.com Operating System Q: burrito.com A: 1.2.3.4 ORIGIN Frame

  44. What a network observer can see Clients HTTP HTTPS Hosts Client Unique IP Anycast Hosts Shared Server IP First Hostname

  45. Anonymity set 1 Client ~20 Server (Shared IP+Certificate)

  46. HTTP/2 Client Resolver Edge SNI: burrito.com burrito.com GET https://burrito.com Browser ORIGIN: beans.com CERTIFICATE: beans.com GET https://beans.com Operating System Q: burrito.com A: 1.2.3.4 CERTIFICATE Frame

  47. Client Resolver Edge burrito.com Browser SNI: burrito.com Operating System Q: burrito.com A: 1.2.3.4

  48. What this changes Having a certificate gives you routing authority

  49. Anonymity set 1 Client k Server (Shared IP+First Hostname) k is the set of domains on certificates that can be obtained through “First Hostname”

  50. Meek-like circumvention protection Only send the CERTIFICATE frame on certain resources

  51. Authoritative 
 Client Resolver Server Browser Operating System DNS

  52. Root Server Client Resolver me.we.com TLD Server Browser me.we.com Q: e.we.com Authoritative Operating System me.we.com Client Subnet Cache Miss

  53. Root Server Client Resolver me.we.com TLD Server Browser me.we.com Q: e.we.com Authoritative Operating System me.we.com Client Subnet Caching

  54. Root Server Client Resolver .com TLD Server Browser .we.com Q: e.we.com Authoritative Operating System me.we.com Client Subnet QNAME Minimization

  55. DOH Edge 
 Authoritative 
 Client ISP Resolver Server Browser Operating System D NS O ver H TTPS

  56. ISP 
 DOH 
 Root Server Client Resolver Resolver .com Q: e.we.com TLD Server Browser .we.com Authoritative Operating System me.we.com Client Subnet DOH Resolver

  57. 
 
 Latency Edge DoH ISPs Globally Distributed Closer to user TLS 1.3 0RTT Smaller cache UDP

  58. Challenges in the Enterprise

  59. HTTP/2 DoH Client Edge Resolver SNI: burrito.com GET https://burrito.com burrito.com Browser ORIGIN: beans.com CERTIFICATE: beans.com GET https://beans.com SNI: resolver.com resolver.com Q: burrito.com A: 1.2.3.4 ORIGIN/CERT + DoH

  60. HTTP/2 DoH Client Edge Resolver burrito.com Browser SNI: burrito.com resolver.com SNI: resolver.com ORIGIN/CERT + DoH

  61. SNI Encryption Encrypt SNI with client ephemeral key + server public key from DNS

  62. TLS 1.3 DoH Client Edge Resolver burrito.com eSNI: E(burrito.com) Browser SNI: resolver.com resolver.com Q: burrito.com A: 1.2.3.4, PubKey O/C + DoH + eSNI

  63. What a network observer can see Clients HTTP HTTPS Hosts Client Unique IP Anycast Hosts Shared Server IP First Hostname (SNI)

  64. Anonymity set Client 1 Server K K is the set of domains that can be served on the IP Caveat : If Server IP is static, then this give a hint about first hostname.

  65. HTTP/2 Client Resolver Edge SNI: resolver.com Browser resolver.com Q: beans.com A: 1.2.3.5 ORIGIN: beans.com CERTIFICATE: beans.com GET https://beans.com DOH “VPN”

  66. HTTP/2 Client Resolver Edge Browser resolver.com SNI: resolver.com DOH “VPN”

  67. Anonymity set 1 Client IP K Server IP K is the set of domains that can be served on the IP No dynamic IP requirement

  68. Where are we now? ORIGIN implemented in Firefox CERTIFICATE being standardized by IETF DOH supported by Google DNS, 1.1.1.1 eSNI about to be submitted to IETF

  69. ORIGIN Privacy improvement limited by shared certs Latency skip both DNS and HTTPS Security certificate compromise risk

  70. CERTIFICATE Privacy hide any bean in any burrito Latency extends origin benefits to any cert Security exchange DNS for CT or OCSP stapling

  71. DOH Privacy first hop improvement Latency depends on provider, TLS 1.3 Security security against attacks, allows passive DNS

  72. eSNI Privacy first domain privacy given dynamic IPs Latency depends on DoH for reliability Security risk of more MiTM

  73. Open Questions How much privacy does this actually give people? Does this incentivize further consolidation? Does increased performance and privacy outweigh the legitimate need for external visibility?

  74. Website Fingerprinting Removing explicit signals does not protect you from passive ones

  75. Consolidation Better performance when using a popular provider

  76. Is visibility necessary? Safety vs. Security

  77. The Evolving Architecture of the Web Nick Sullivan

Recommend

UI Evolving Platform Evolving Architecture Evolving About Me Xianning ( Pronunciation

UI Evolving Platform Evolving Architecture Evolving About Me Xianning ( Pronunciation

UI Evolving Platform Evolving Architecture Evolving About Me Xianning ( Pronunciation Shining) Liu Full Stack Developer, Mobile SME, Lead Consultant @ThoughtWorks Tech Lead & Solution Architect. Recently focusing on scale mobile

854 views • 49 slides
Th The 2nd International Workshop on 2 d I t ti l W k h Mobility in the Evolving Internet

Th The 2nd International Workshop on 2 d I t ti l W k h Mobility in the Evolving Internet

Th The 2nd International Workshop on 2 d I t ti l W k h Mobility in the Evolving Internet Mobility in the Evolving Internet Architecture (MobiArch07) Xiaoming Fu, Katherine Guo, Sue Moon, Ryuji Wakikawa Jon Crowcroft Acknowlegements

83 views • 6 slides
Evolving the architecture of guardian.co.uk Mat Wall Lead software architect History 1821 -

Evolving the architecture of guardian.co.uk Mat Wall Lead software architect History 1821 -

Evolving the architecture of guardian.co.uk Mat Wall Lead software architect History 1821 - Manchester Guardian released 1936 - Scott Trust formed: No proprietor Unique in British newspapers to this day 1959 - The Guardian goes national

931 views • 81 slides
Fifi: An Architecture to Realize Self-evolving of Java Program Ming-Yang Hou Xi-Yang Liu He-Hui

Fifi: An Architecture to Realize Self-evolving of Java Program Ming-Yang Hou Xi-Yang Liu He-Hui

Fifi: An Architecture to Realize Self-evolving of Java Program Ming-Yang Hou Xi-Yang Liu He-Hui Liu ehmy@263.net xyliu@xidian.edu.cn hhliu@mail.xidian.edu.cn Software Engineering Institute Xidian University, China ICSE 2006 Workshop on

675 views • 18 slides
Algorithms and Architecture for Managing Evolving ETL Workflows Judith Awiti Universit Libre

Algorithms and Architecture for Managing Evolving ETL Workflows Judith Awiti Universit Libre

Algorithms and Architecture for Managing Evolving ETL Workflows Judith Awiti Universit Libre de Bruxelles, Belgium Esteban Zimnyi (Home Supervisor) : Universit Libre de Bruxelles Robert Wrembel (Host Supervisor) : Pozna University of

526 views • 34 slides
Introduction The volume of information is increasing as evolving modern science

Introduction The volume of information is increasing as evolving modern science

HAMA : An Efficient Matrix Computation with the MapReduce Framework IEEE CLOUDCOM 2010 Workshop, Indianapolis, USA Sangwon Seo , Computer Architecture Lab, KAIST, 1 Dec. 2010 Introduction The volume of information is increasing as evolving

1k views • 21 slides
Evolving Neural Networks This lecture is based on Xin Yaos tutorial slides From Evolving

Evolving Neural Networks This lecture is based on Xin Yaos tutorial slides From Evolving

Evolving Neural Networks This lecture is based on Xin Yaos tutorial slides From Evolving Single Neural Networks to Evolving Ensembles presented at CEC 2007. Literature: Evolving Artificial Neural Networks , Xin Yao, Proceedings of the

281 views • 16 slides
Evolving Data Access Evolving Data Access Evolving Data Access Evolving Data Access

Evolving Data Access Evolving Data Access Evolving Data Access Evolving Data Access

Evolving Data Access Evolving Data Access Evolving Data Access Evolving Data Access Methodologies and Standards Methodologies and Standards John de Longa Solutions Architect Solutions Architect DataDirect Technologies

499 views • 24 slides
NVIDIA GPUs in the Cloud 4 EVOLVING CLOUD REQUIREMENTS On Off Hybrid Cloud premises premises

NVIDIA GPUs in the Cloud 4 EVOLVING CLOUD REQUIREMENTS On Off Hybrid Cloud premises premises

NVIDIA GPUs in the Cloud 4 EVOLVING CLOUD REQUIREMENTS On Off Hybrid Cloud premises premises Connecting clouds New workloads Components to disrupt SOFTLAYER CAPABILITIES OVERVIEW 5 GLOBAL CLOUD PLATFORM Unified architecture enabled by

390 views • 17 slides
CoVid-19: an Evolving Presentation Thomas Britt, MD, MPH 10 May 2020 CoVid-19 is an evolving

CoVid-19: an Evolving Presentation Thomas Britt, MD, MPH 10 May 2020 CoVid-19 is an evolving

CoVid-19: an Evolving Presentation Thomas Britt, MD, MPH 10 May 2020 CoVid-19 is an evolving Global Pandemic, that has recently revealed that the United States is now the epicenter (initially Washington State and now, the State of New York,

283 views • 3 slides
The Evolving Environment Kenneth I. Shine, MD Special Advisor to the Chancellor The University

The Evolving Environment Kenneth I. Shine, MD Special Advisor to the Chancellor The University

The Evolving Environment Kenneth I. Shine, MD Special Advisor to the Chancellor The University of Texas System The Evolving Environment Potential Conflict of Interest Director, United Health Group The Evolving Environment New Delivery Models

428 views • 4 slides
CSE 510 Web Data Engineering XML, XHTML, XSLT and Web Application Programming Evolving as We

CSE 510 Web Data Engineering XML, XHTML, XSLT and Web Application Programming Evolving as We

CSE 510 Web Data Engineering XML, XHTML, XSLT and Web Application Programming Evolving as We Speak UB CSE 510 Web Data Engineering XML-based Model 2 (MVC) Architecture of Today View: XSLT-based presentation XML/XML Schema-defined

436 views • 28 slides
Evolving Artificial Neural Networks Tim Kovacs Evolving ANNs 1 of 23 Introduction Adapting

Evolving Artificial Neural Networks Tim Kovacs Evolving ANNs 1 of 23 Introduction Adapting

Introduction Adapting Weights Adapting Architectures Adapting Learning Rules Yaos Framework Conclusions Bibliography COMS M0305: Learning in Autonomous Systems Evolving Artificial Neural Networks Tim Kovacs Evolving ANNs 1 of 23

572 views • 23 slides
Evolving Game Playing Evolving Game Playing Strategies (4.4.3) Strategies (4.4.3) Darren

Evolving Game Playing Evolving Game Playing Strategies (4.4.3) Strategies (4.4.3) Darren

Evolving Game Playing Evolving Game Playing Strategies (4.4.3) Strategies (4.4.3) Darren Gerling Jason Gerling Jared Hopf Colleen Wtorek Overview Overview 1) Introduction - Agent Based Modeling 2) Prisoners Dilemma 3) Deterministic

724 views • 48 slides
The Evolutjon of ALM June 2019 How will ALM change The Evolving External Increasing

The Evolutjon of ALM June 2019 How will ALM change The Evolving External Increasing

The Evolutjon of ALM June 2019 How will ALM change The Evolving External Increasing Strategic ALM Environment Sophistjcatjon 1 2 3 Yousef Ghazi-Tabatabai www.ukalma.org.uk 1 The Evolving External Environment The Evolving

275 views • 23 slides
Evolving Role of Performance Measurement I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Evolving Role of Performance Measurement I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Evolving Role of Performance Measurement I n t e g r i t y - S e r v i c e - E x c e l l e n c e Meeting Fiscal Constraints: The Evolving Role of Performance Measurement ICEAA National Conference San Diego CA Dr Steve Green, CCE/A 10 Jun

371 views • 21 slides
ACT-IAC Evolving the Workforce COI July 9, 2020 ACT-IAC Evolving the Workforce COI Leadership

ACT-IAC Evolving the Workforce COI July 9, 2020 ACT-IAC Evolving the Workforce COI Leadership

ACT-IAC Evolving the Workforce COI July 9, 2020 ACT-IAC Evolving the Workforce COI Leadership Team Andrew McCoy, Industry Chair Terri Shaffer, Government Chair Christina Vay, Government Vice-Chair Ronna Garrett, Industry Vice-Chair Robert

389 views • 16 slides
1 Where does architecture come from? What order? Use an architecture youve seen before

1 Where does architecture come from? What order? Use an architecture youve seen before

Architecture 2 1 Announcements What is Architecture? Final project hand-in and documentation Big picture Structure or structures that support the system Early design decisions Architecture is the design decisions you

275 views • 5 slides
Evolving Cyber Risks for Small Businesses Sponsored By: Evolving Cyber Risks for Small

Evolving Cyber Risks for Small Businesses Sponsored By: Evolving Cyber Risks for Small

Evolving Cyber Risks for Small Businesses Sponsored By: Evolving Cyber Risks for Small Businesses Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording of todays webinar Corresponding

515 views • 19 slides
ACT-IAC Evolving the Workforce Community of Interest Topic: Fair and Effective Hiring: Are

ACT-IAC Evolving the Workforce Community of Interest Topic: Fair and Effective Hiring: Are

ACT-IAC Evolving the Workforce Community of Interest Topic: Fair and Effective Hiring: Are Different Outcomes Possible? June 11, 2020 ACT-IAC Evolving the Workforce COI Leadership Team Andrew McCoy, Industry Chair Terri Shaffer, Government

932 views • 51 slides
Time-Evolving Graph Processing at Scale Anand Iyer # , Li Erran Li + , Tathagata Das * , Ion

Time-Evolving Graph Processing at Scale Anand Iyer # , Li Erran Li + , Tathagata Das * , Ion

Time-Evolving Graph Processing at Scale Anand Iyer # , Li Erran Li + , Tathagata Das * , Ion Stoica #* # UC Berkeley + Uber Technologies * Databricks Motivation Dynamically evolving graphs prevalent in many domains Social networks (e.g.,

561 views • 27 slides
Translating and Evolving: Towards a model of language change in DisCoCat Tai-Danae Bradley,

Translating and Evolving: Towards a model of language change in DisCoCat Tai-Danae Bradley,

Translating and Evolving: Towards a model of language change in DisCoCat Tai-Danae Bradley, Martha Lewis, Jade Master, and Brad Theilman SYCO3, March 2019 Oxford, UK Bradley & al Translating & Evolving 1/20 Background

571 views • 20 slides
Overview of Sofware Architecture Sofware Architecture VO (706.706) Roman Kern 2020-10-04

Overview of Sofware Architecture Sofware Architecture VO (706.706) Roman Kern 2020-10-04

# These slides should give an overview of the sofware architecture, and what its role is. # Why and when is sofware architecture important. # In other words: sofware architecture in a nutshell ! Overview of Sofware Architecture Sofware

207 views • 7 slides
SE2: Introduction to Software Architecture Mei Nagappan What is Architecture? Encyclopedia

SE2: Introduction to Software Architecture Mei Nagappan What is Architecture? Encyclopedia

Material and some slide content from: - Emerson Murphy-Hill - Reid Holmes - Mehdi Mirakhorli - Software Architecture: Foundations, Theory, and Practice - Essential Software Architecture SE2: Introduction to Software Architecture Mei Nagappan

341 views • 31 slides

More recommend