SSL Verification Only

Posted

Recently I have been thinking a lot about SSL and have been pondering caching. Currently SSL caching can only be done by a trusted server with the certificate private key or by the browser. This is obviously a requirement for encryption as the encryption key will be different every time and the resulting data stream will be different.

What I was considering is a verification-only SSL solution similar to distributing a file and a verifiable signature. This way the server can sign files it distributes and anyone can cache and re-serve these files, reducing load on the server. This would be useful for static assets that are served over HTTPS to prevent the risk of a man-in-the-middle attack serving malware instead of legitimate javascript files. These files are not a secret and don't contain personal information so there is very little reason for them to be encrypted. These signed files could be cached by any proxy (an on-site squid proxy, an ISP cache or limitless other options) without risk of tampering and the load is taken off of the server.

I haven't seen any solution around and was wondering why. It seams like something this is relatively easy to accomplish and all we need is a standard way to implement it. If there is anything out or in the works I would love to hear about it.