For many years, Internet web content has used Hypertext Transfer Protocol version 1.1 (HTTP/1.1), running on the Transport Control Protocol (TCP). HTTP/1.1 was published by the Internet Engineering Task Force (IETF) in 1997 and has been the work-horse for the web for many years. However, because of the size and complexity of web-sites has increased tremendously since 1997, HTTP/1.1 creates a bottleneck for performance and is being replaced with HTTP/2.
The HTTP/2 standard is derived from the SPDY technology that was invented by Google. While HTTP/2 brings many desirable features, its extensive use of encryption was hotly debated during the standardization process. Generally over-the-top (OTT) Internet service providers are in favor of end-to-end encryption. Telecom service providers have been largely unsuccessful in promoting the notion trusted forward proxies (TFP), which would enable encrypted traffic to be terminated and decrypted within their networks. From a technical standpoint, TFPs can be used by service providers to interrogate network traffic. However TFP implementations would require that service providers have access to the security certificates used for encrypting the network traffic. We believe that universal access to these certificates can only be enabled if required by regulators.
Although end-to-end encryption is not mandated for HTTP/2, it will be widely adopted for mobile services, with far reaching implications for service providers and their technology vendors. In particular, encrypted traffic cannot be interrogated using conventional deep packet inspection (DPI) solutions offered by companies like Allot, Citrix and Sandvine. In response, these players and other infrastructure vendors like Cisco, Ericsson, Huawei and Nokia are developing alternative techniques to for traffic interrogation, such as:
Conventional content optimization techniques cannot be used for encrypted traffic. As a result, several alternatives have been proposed and in some cases adopted. Notable examples include:
Security appliances that vet traffic are deployed in mobile networks for a variety of purposes, such as parental control. When network traffic is encrypted, the capabilities of these appliances are significantly compromised. For example, when parental control solutions cannot directly interrogate encrypted traffic they have to rely on the interpretation of IP header information and other heuristics, which are less reliable.
In recent years researchers have developed and refined homomorphic encryption techniques that essentially enable encrypted content to be interrogated without the need for it to be decrypted first. While these techniques show significant promise for the future and are particularly useful as service and network environments become increasingly virtualized, there are several challenges that need to be overcome for their practical implementation, most notably its computational requirements.
While the migration to HTTP/2 will disrupt mobile ecosystems, we believe that it will create opportunities for technology vendors and act as a catalyst for positive change in the following areas:
In the longer term, we believe that homomorphic encryption techniques show tremendous promise as a potential replacement to other techniques such as TLS/SSL, because they enable the interrogation of encrypted data. This is particularly the case with the proliferation of virtualized application and network environments, which increasingly require the querying and analysis of encrypted data, without the creating of Man-In-The-Middle (MITM) security threats.
Although operational automation is inevitable and necessary for the success of the mobile industry, it is human rather than technology factors that will determine its rate and manner of adoption. Service providers and technology vendors must pay careful attention to these human factors as they forge a path towards an automated future.