HTTPI: An HTTP with Integrity

The World Wide Web famously supports two transport protocols: HTTP and HTTPS. These two protocols are at the opposite ends of three dimensions: security guarantees, cost of use, and compatibility with middle boxes (e.g. cache proxies) in the Internet. At one end, HTTP provides no security guarantees, but it is inexpensive to use, and is compatible with middle boxes in the Internet. At the other end, HTTPS provides three security guarantees, but it is expensive to use and is not compatible with middle boxes. Although the three security guarantees provided by HTTPS, namely server authentication, message integrity, and message confidentiality, are important in general, many web servers (e.g. email servers) do not need the message confidentiality guarantee. In this paper, we present a new transport protocol for the Web, named HTTPI. This protocol provides both server authentication and message integrity, but not message confidentiality. Like HTTP, HTTPI is inexpensive to use and is compatible with middle boxes, and like HTTPS, it defends against many cyber attacks (e.g. Pharming attacks) that HTTP cannot defend against. We developed a preliminary implementation of HTTPI and showed through experimentation that the throughput of HTTPI is within 1.2% from that of HTTP and is 37% better than that of HTTPS.