HTTP Proposal: Integrity

The Integrity HTTP header is meant to give websites a way to direct returning visitors to a different location in case of an emergency. Such an emergency could have different causes (e.g. governmental interference leading to loss of domain name and/or server).

Goals

• Site owners can keep their userbase even in case of an emergency.
• Site owners can inform their userbase about the cause of the emergency and ask for support.
• The user can continue visiting the site and does not have to deal with doing research about (1) where the site has gone and (2) what happened to the site.

Future Research

• Although tougher to implement for regular web developers it should make more sense to base this mechanism on DNS rather than HTTP.
• The amount of necessary requests could be reduced significantly by using signatures.

Open Issues

• Caching
  • What should the default value be? (indefinite?)
  • Server should be able to specify it (use same value it specifies for page caching?)
  • What should the duration be when extending the cache expiration in case of a redirect? / Where should it be defined? / Should it only be extended when expired?
• Checks
  • Should the page be blocked until integrity checks have returned a result or should the result of those be applied on the next visit? / Is caching enough to keep the performance impact low?

Components

• Definition: server [A]
• Verification: servers [B] to [X]
• Execution: client

Graph

graph outlining HTTP Integrity process

Process

a) client navigates to website [A]

a1) client checks cache

b) client processes results

a1 > b1) client finds entry for [A] in cache
a1 > b2) client does not find entry for [A] in cache

c) client checks cache expiration

b1 > c1) cache entry is not expired
b1 > c2) cache entry is expired

d) client initiates Integrity

b2 > d1) client sends HTTP header Integrity-Version: 0.1
c2 > d2) client sends HTTP header Integrity-Version: 0.1

e) server [A] responds

d1 | d2 > e1) server sends HTTP code 200 with HTTP header Integrity-Location: <ordered, comma separated list of IP addresses and domain names [B..X]>
d1 > e2) server sends HTTP code 200 without HTTP header Integrity-Location
d1 > e3) server sends HTTP error code
c1 | d2 > e4) server sends HTTP error code
c1 > e5) server does not send HTTP error code
d2 > e6) server sends HTTP code 200 without HTTP header Integrity-Location

f) client processes data

e1 | e6 | h1 > f1) client sends HEAD request to server [B..X] with HTTP header Integrity-Origin: [A]

g) server [B..X] responds

f1 > g1) server sends HTTP code 200 with HTTP header Integrity-Status: OK
f1 > g2) server sends HTTP code 200 with HTTP header Integrity-Status: NOK
f1 > g3) server sends HTTP code 200 without HTTP header Integrity-Status
f1 > g4) server sends HTTP error code

h) client checks cache for [A]

g3 | g4 > h1) another entry in location list
g3 | g4 > h2) no other entry in location list
g2 > h3) cache entry exists
g2 > h4) cache entry does not exist

i) client processes server response

e4 > i1) client redirects (301 Moved Permanently) to cached location [B..X] and extends cache expiration date
g1 > i2) client removes cached location (if exists), saves location transmitted through HTTP header Integrity-Location (if exists), associates it with domain [A] and adds cache expiration date
h2 > i3) client removes cache entry (if exists)

END) client finishes navigation

e2 | e3 | e5 | h4 | i2 | i3 > END) [A]
i1 > END) [B..X]