Technical Field
This application relates generally to secure network-based communications using cryptographic protocols.
Brief Description of the Related Art
Distributed computer systems are well-known in the prior art. One such distributed computer system is a “content delivery network” (CDN) or “overlay network” that is operated and managed by a service provider. The service provider typically provides the content delivery service on behalf of third parties (customers) who use the service provider's shared infrastructure. A distributed system of this type typically refers to a collection of autonomous computers linked by a network or networks, together with the software, systems, protocols and techniques designed to facilitate various services, such as content delivery, web application acceleration, or other support of outsourced origin site infrastructure. A CDN service provider typically provides service delivery through digital properties (such as a website), which are provisioned in a customer portal and then deployed to the network. A digital property typically is bound to one or more edge configurations that allow the service provider to account for traffic and bill its customer.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide Internet communication security. They use asymmetric cryptography for authentication and key exchange, symmetric encryption for confidentiality, and message authentication codes for message integrity. TLS/SSL is initialized at a session layer then works at a presentation layer. In particular, first the session layer has a handshake using an asymmetric cipher to establish cipher settings and a shared key for that session. Thereafter, a presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data. TLS is an IETF standards track protocol, defined in RFC 5246 and RFC 6176.
HTTP request enrichment is a useful and low-overhead technique used by Internet Service Providers (ISPs) to pass on client intelligence to HTTP servers. This is usually achieved with the help of a Deep Packet Inspection (DPI) box capable of identifying HTTP requests, interjecting text into them, and offsetting the TCP flow's sequence numbers correctly between client and server. This functionality, however, cannot exist for HTTPS requests because a middle box is incapable of inserting anything into an SSL flow.
As additional background, many mobile network operators use transparent proxies and online transcoding or transrating devices to shape traffic in high traffic hours, e.g., based on real-time conditions in their network. These methods are very useful to the operators, but they are becoming increasingly irrelevant due to the growing volume of SSL streaming.