Now that the world has recognized the importance of HTTPS, it’s time to move further ahead amidst rising privacy issues. Researchers have proposed an advanced strategy – the HTTPS Attestable (HTTPA) protocol. This protocol will bolster HTTPS to further ensure secure and private communication by verifying the presence of encryption.
HTTPS Attestable Protocol (HTTPA) To Enhance Security
Researchers from Intel Labs have presented the idea of implementing HTTPA protocol for secure communications over the internet.
In brief, they have highlighted the underlying weaknesses of the HTTPS protocol that, despite encryption, still make it possible for an adversary to intercept the data. As mentioned,
“HTTPS cannot provide security assurances on the request data in compute, so the computing environment remains uncertain risks and vulnerabilities.
While the problem doesn’t directly exist in HTTPS, it does arise somehow in its implementation across different devices.
HTTPS is widely used to secure request data in motion, but the user data may be at risk i.e. data breach if the processing code is not fully isolated from everything else including the operating system on the host machine.
Therefore, they argue that introducing HTTPS attestation between devices can help prevent such issues as the systems can “verify” the protected status. For this, hardware-based TEE can help, such as Intel SGX enclave can facilitate.
The key is to verify the security for a remote user/system of a Trusted Computing Base (TCB) that includes the hardware, firmware, and software, and the Trusted Execution Environment (TEE) is the secure area on a processor that ensures isolated app execution on TCB.
With such hardware-based attestation, an attacker won’t be able to access information even upon achieving elevated privileges to access the secure channel.
The researchers have proposed two methods of HTTPS Attestation (HTTPA). These include One-Way HTTPA, where the client validates the server, and Mutual HTTPA (mHTTPA), where the client and the server verify each other.
The researchers have elaborated on HTTPA in a detailed research paper. Since HTTPA merely involves attestation of the existing HTTPS, it won’t be tedious to implement this protocol in real-time to alleviate existing security risks.