HTTPA/2: a Trusted End-to-End Protocol for Web Services

TL;DR

HTTPA/2 is an upgraded protocol that provides end-to-end trust and security for web services at layer 7, enabling remote attestation without relying on TLS, thus enhancing trustworthiness in cloud-based web applications.

Contribution

It introduces HTTPA/2, a novel protocol augmenting HTTP to enable end-to-end trusted communication and remote attestation at layer 7 without TLS, compatible with modern cloud infrastructure.

Findings

Enables end-to-end trust in web services at layer 7.

Provides remote attestation without TLS.

Compatible with cloud infrastructure components.

Abstract

With the advent of cloud computing and the Internet, the commercialized website becomes capable of providing more web services, such as software as a service (SaaS) or function as a service (FaaS), for great user experiences. Undoubtedly, web services have been thriving in popularity that will continue growing to serve modern human life. As expected, there came the ineluctable need for preserving privacy, enhancing security, and building trust. However, HTTPS alone cannot provide a remote attestation for building trust with web services, which remains lacking in trust. At the same time, cloud computing is actively adopting the use of TEEs and will demand a web-based protocol for remote attestation with ease of use. Here, we propose HTTPA/2 as an upgraded version of HTTP-Attestable (HTTPA) by augmenting existing HTTP to enable end-to-end trusted communication between endpoints at layer 7 (L7). HTTPA/2 allows for L7 message protection without relying on TLS. In practice, HTTPA/2 is designed to be compatible with the in-network processing of the modern cloud infrastructure, including L7 gateway, L7 load balancer, caching, etc. We envision that \acs{httpa}/2 will further enable trustworthy web services and trustworthy AI applications in the future, accelerating the transformation of the web-based digital world to be more trustworthy.