Security News > 2021 > October > You've heard of HTTPS. Now get a load of HTTPA: Web services in verified remote trusted environments?

You've heard of HTTPS. Now get a load of HTTPA: Web services in verified remote trusted environments?
2021-10-20 01:25

In a paper distributed this month through ArXiv, they describe a HTTP protocol called HTTPS Attestable to enhance online security with remote attestation - a way for apps to obtain an assurance that data will be handled by trusted software in secure execution environments.

"We propose a general solution to standardize attestation over HTTPS and establish multiple trusted connections to protect and manage requested data for selected HTTP domains," they say.

HTTPA requires extending the HTTPS handshake process, the networking back-and-forth by which the client and server talk to one another.

The protocol calls for three sets of HTTP methods: HTTP preflight request and response; HTTP attest request and response; and HTTP trusted session request and response.

The HTTP attest and HTTP trusted session methods that follow are new; HTTP preflight is an existing mechanism used with Cross-origin resource sharing for checking to see whether a server can handle a specific protocol.

Asked whether the protocol might interfere with services that have stringent bandwidth or latency requirements, they replied, "Further exploration would be needed to confirm any performance impact; however, we do not anticipate any significant performance change from other HTTPS protocols."


News URL

https://go.theregister.com/feed/www.theregister.com/2021/10/20/intel_sgx_httpa/