HTTPA: HTTPS Attestable Protocol

Hypertext Transfer Protocol Secure (HTTPS) protocol has become integral part of the modern internet technology. It is currently the primary protocol for commercialized web applications. It can provide a fast, secure connection with a certain level of privacy and integrity, and it has become a basic assumption on most web services on the internet. However, HTTPS cannot provide security assurances on the request data in compute, so the computing environment remains uncertain risks and vulnerabilities. A hardware-based trusted execution environment (TEE) such as Intel Software Guard Extension (SGX) provides in-memory encryption to help protect the runtime computation to reduce risks of illegal leaking or modifying private information. The central concept of SGX enables the computation happening inside the enclave, a protected environment that encrypts the codes and data pertaining to a security-sensitive computation. In addition, SGX provides provide security assurances via remote attestation to the web client, including TCB identity, vendor identity and verification identity. Here we propose a HTTP protocol, called HTTPS Attestable (HTTPA), by including remote attestation process onto the HTTPS protocol to address the privacy and security concerns on web and the access over the Internet. With HTTPA, we can provide security assurances to establish trustworthiness with web services and ensure integrity of request handling for web users. We expect that remote attestation will become a new trend adopted to reduce web services security risks, and propose the HTTPA protocol to unify the web attestation and accessing services in a standard and efficient way.