The downloading and uploading of images and video by end users over operator networks such as DOCSIS, Ethernet, fixed-line, WIFI, 3G and 4G LTE infrastructure presents an ever increasing challenge for operators as finite numbers of links become more and more saturated. A common technique for reducing load on the packet core of the network is to cache commonly-used content near an access point, whereby requests for the content are serviced locally instead of reaching all the way through the core network, as that taught in U.S. Pat. No. 7,770,198. Other techniques that reduce load on the last-mile side of the network include TCP window optimization such as taught in U.S. Pat. No. 8,639,835, and compressing text traffic between a packet core and a user endpoint or handset, as taught in U.S. Pat. No. 8,792,408.
Several techniques specific to optimizing image and video download are known in the art, such as just-in-time transcoding and transrating of content before sending through the last mile of the network, as taught in U.S. Pat. No. 6,628,300. None of these techniques or any others in the art address the problem of optimizing image and video upload. Further, none of these techniques address the problem of optimizing image and video download nor upload when such traffic is secured with protocols such as HTTPS or SSL. Such traffic comprises a growing percentage of traffic transiting over most operator networks and presents a serious challenge to operators wishing to optimize such traffic flows.
While there exist well known techniques for proxying of HTTPS and SSL traffic such as those taught in U.S. Pat. No. 8,214,635 (the '635 patent), these techniques are directed to purposes of deep packet inspection and filtering of traffic, not media optimization. Further, these techniques expose serious security risks.
In the '635 patent, a common root certificate authority is shared between the proxy/firewall and all user endpoints. This is useful for circumstances at an enterprise where for regulatory compliance, all traffic must be inspected and logged, including traffic secured with HTTPS and SSL, and the enterprise maintains some manner of physical access control to the user endpoints. However, a determined actor in possession of any single one of these user endpoints can perform cryptanalysis on the shared root certificate authority in their possession. Once the private key is obtained from this certificate authority, all secured traffic from all user endpoints within the network behind the proxy/firewall can be intercepted, presenting a serious security risk.
Some parental control software and ad-insertion software uses similar methods and present similar security risks. In fact, these risks can be more severe than compromising all endpoints behind a single proxy, as many of the aforementioned methods and proxies use a common vendor library, which the same root certificate authority. In such circumstances, once the private key for a certificate authority is obtained, all endpoints with any software using the single library can be compromised.
Contemporaneous to the filing of this disclosure, several such incidents were disclosed and reported in the media (“Lenovo Pulls Laptop App After Security Warnings”, Wall Street Journal, Feb. 19, 2015, and U.S. Department of Homeland Security, US-CERT Alert TA15-051A, “Lenovo Superfish Adware Vulnerable to HTTPS Spoofing”, Feb. 20, 2015).