InviCloak: An End-to-End Approach to Privacy and Performance in Web Content Distribution

by   Shihan Lin, et al.

In today's web ecosystem, a website that uses a Content Delivery Network (CDN) shares its Transport Layer Security (TLS) private key or session key with the CDN. In this paper, we present the design and implementation of InviCloak, a system that protects the confidentiality and integrity of a user and a website's private communications without changing TLS or upgrading a CDN. InviCloak builds a lightweight but secure and practical key distribution mechanism using the existing DNS infrastructure to distribute a new public key associated with a website's domain name. A web client and a website can use the new key pair to build an encryption channel inside TLS. InviCloak accommodates the current web ecosystem. A website can deploy InviCloak unilaterally without a client's involvement to prevent a passive attacker inside a CDN from eavesdropping on their communications. If a client also installs InviCloak's browser extension, the client and the website can achieve end-to-end confidential and untampered communications in the presence of an active attacker inside a CDN. Our evaluation shows that InviCloak increases the median page load times (PLTs) of realistic web pages from 2.0s to 2.1s, which is smaller than the median PLTs (2.8s) of a state-of-the-art TEE-based solution.


page 1

page 2

page 3

page 4


Accountable Javascript Code Delivery

The Internet is a major distribution platform for applications, but ther...

Keep your Identity Small: Privacy-preserving Client-side Fingerprinting

Device fingerprinting is a widely used technique that allows a third par...

Short-Lived Forward-Secure Delegation for TLS

On today's Internet, combining the end-to-end security of TLS with Conte...

MCQUIC – A Multicast Extension for QUIC

Mass live content, such as world cups, the Superbowl or the Olympics, at...

Tails Tor and other tools for Safeguarding Online Activities

There are not many known ways to break Tor anonymity, and they require a...

Enhanced Performance for the encrypted Web through TLS Resumption across Hostnames

TLS can resume previous connections via abbreviated resumption handshake...

Precise XSS detection and mitigation with Client-side Templates

We present XSnare, a fully client-side XSS solution, implemented as a Fi...

Please sign up or login with your details

Forgot password? Click here to reset