What effect does https traffic have on web cache proxy servers?
I just took two university courses on computer security and internet programming. I was thinking about this the other day:
Web cache proxy servers cache popular content from servers on the web. This is useful, for example, if your company has a 1 Gbps network connection internally (including a web cache proxy server), but only a 100 Mbps connection to the internet. The web cache proxy server can serve cached content much more quickly to other computers on the local network.
Now consider TLS-encrypted connections. Can encrypted content be cached in any useful way? There's a great initiative from letsencrypt.org aiming to make all internet traffic encrypted over SSL by default. They are doing this by making it really easy, automated, and free to obtain SSL certificates for your site (starting summer 2015). Considering current yearly costs for SSL certs, FREE is really attractive.
My question is: will HTTPS traffic eventually make web cache proxy servers obsolete? If so, what toll will this take on the load of global internet traffic?
Solution 1:
Yes, HTTPs will put a damper on network caching.
Specifically because caching HTTPs requires doing a man in the middle type attack - replacing the SSL certificate with that of the cache server. That certificate will have to be generated on the fly and signed by a local authority.
In a corporate environment you can make all PCs trust your cache server certificates. But other machines will give certificate errors - which they should. A malicious cache could modify the pages easily.
I suspect that sites that use large amounts of bandwidth like video streaming will still send content over regular HTTP specifically so it can be cached. But for many sites better security outweighs the increase in bandwidth.
Solution 2:
Even tough HTTPS traffic cannot be proxied in a strict sense ('cause, otherwise, the proxy software will act as a "man in the middle", that is exactly one of the reason SSL has been developed for, to avoid), it's important to remark that common software proxies (like SQUID), can correctly handle HTTPS connections.
This is possible thanks to the HTTP CONNECT METHOD, that SQUID correctly implement. In other words, for any HTTPS request that the proxy receive, it simply "relay" it, without any intervention at encapsuled, enncrypted traffic.
Even if at first this sounds useless, it allows to have local clients/browsers configured to point to a proxy and, at the same time, cut any forms of Internet connectivity.
So, back to your original question: "will HTTPS traffic eventually make web cache proxy servers obsolete?", my answer is:
- YES: if you rely to a web proxy only in terms of caching;
- NO: if you rely to a web proxy for things other than caching (eg: user authentication; URL-logging; etc.).
P.S.: a similar/major problem with HTTPS relates to name-based virtual-host multihoming, that is common in web-hosting solutions but.... gets complex when dealing with HTTPS sites (I'm not discussing in details, 'cause it's not strictly related to this question).