While HTTPS is becoming the default online protocol for providing a fast and secure connection for websites and applications, there is still room for improvement. The HTTPA protocol is intended to enhance online trust using trusted execution environments (TEE).
Intel software engineer Gordon King and Intel Labs research scientist Hans Wang outlined the proposed protocol – HTTPS-Attestable (HTTPA) – in a paper distributed through ArXiv.
HTTPA enhances online security with remote attestation – a way for applications to obtain assurance that the data is being handled by trusted software in secure execution environments. Applications use certificates or cryptographic methods to verify that the code running in a server-side TEE is the expected code, and that it hasn’t been modified by a rogue process, tool or administrator.
TEE refer to enclaves in memory where sensitive computations run can be used to perform computations on sensitive details. Both Intel and Arm offers hardware-based TEE, the Intel Software Guard Extension (Intel SGX) and TrustZone. Wang and King notes in the paper that SGX provides in-memory encryption to help protect the runtime computation to reduce risks of illegal leaking or modifying private information.
The idea behind HTTPA is that web servers can be more secure by carrying out computations in remote TEEs and giving clients a way to verify that this was done.
“We propose a general solution to standardize attestation over HTTPS and establish multiple trusted connections to protect and manage requested data for selected HTTP domains,” King and Wang say in the paper. “Also, our solution leverage the current HTTPS protocol, so it does not introduce much complexity as other approaches.”
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.