IE 5.x SSL Through Proxy Server Issue

From: Joe Goldstein (Joe.Goldstein@CLAIMIQ.COM)
Date: 03/28/02

Date:         Thu, 28 Mar 2002 08:37:26 -0800
From: Joe Goldstein <Joe.Goldstein@CLAIMIQ.COM>


While not exactly a security bug, there is a little know issue with MS IE5.x
that prevents the browser from properly maintaining SSL, connections through
a proxy server. This will usually result in increased page load and
response time to your end users.


The support for SSL through a proxy server was never implemented in the IE
5.x product line. The crux of the problem is how WININET.DLL handles (or
does not, as it turns out) keep-alives with a proxy server while
communicating over SSL. When downloading a page from a web server, IE5.x
creates a new connection for each object that is being requested instead of
reusing a connection that has already been established (this is the
keep-alive function). After IE5.X finishes receiving the object, it
immediately kills the TCP/IP connection. If there is another object to load
from the web server, it creates a new connection. This carries through for
the entire loading of the web page. This introduces a lot of unnecessary
overhead for each object on the page being loaded, including SSL
verification and negotiation. While this may not be very noticeable for
small pages, this problem becomes more obvious with large pages, especially
pages with many objects. This flaw (or non-feature) can actually increase
page load and response times 2x-3x or more. As an example, we have some
pages that are 150k-200k. When these pages were loaded with SSL and no proxy
server, we saw performance at the client browser of 4-6 seconds. When these
same pages were loaded from the same client, but with SSL requests
configured to use the proxy server, the performance times went to 12-19

A side effect of this issue will be noticeable on your IIS (and possibly
other) web servers. Since each connection from the browser is not
terminated correctly, the web server will show multiple resets to the proxy
server. There will be a one to one relationship for number of connection
requests from the browser client to the number of resets on the web server.
Though this is not really a major issue, it could create confusion when
doing troubleshooting on your web server.

This issue has in impact on any IE5.x browser using SSL through almost any
proxy server. The only time this issue is not present is when the browser
is using a 'transparent proxy'. When using a transparent proxy, the browser
is not aware that it is passing through a proxy server to reach the
internet. An example of a transparent proxy server would be Microsoft's ISA
server with each end user's PC running the ISA Firewall Client. In this
instance, since the ISA Firewall Client is handling the connection to the
proxy server, the browser is fooled into thinking it is not using a proxy
server, therefore it is able to utilize SSL with no performance penalty.


Microsoft has been aware of this problem for quite some time, but has just
recently published article Q320037 on the issue. The Microsoft official fix
for this problem is to upgrade to IE6.


Joe Goldstein
Director Technology Operations, ClaimIQ

Relevant Pages

  • Re: Banana Republic (was Re: OpenVMS Book Wins award)
    ... The graphed 'events' are individually and asynchronously provided from the server to the client over a persistent connection and each respective graphical element is equally asynchronously updated. ... However it can emulate asynchronous, raw network streams via a Web Socket server / raw IP network proxy. ... If you mean Web Sockets can't through existing HTTP proxy then the ...
  • Re: how to save the visitors ip addresses
    ... through the same proxy. ... In the case of the IP address identifying the server. ... The only IP visible in the header is the one assigned to your site by your ISP. ... With none having lost a connection ...
  • Re: [Full-Disclosure] idea (quite a bit off-topic, but....)
    ... it is functionally equivilent to just opening a single connection. ... with the symmetric key you got from the server, and send it UDP to a fixed ... After a random number of packets, reconnect with ssl, assert the unique id ...
  • Re: Changing Exchange Smarthost settings/SSL
    ... Change the POP server to ... encrypted connection. ... the username and password for SBC and again checked TLS encryption. ... So I'm assuming TLS is not the same as SSL that I'm supposed to use. ...
  • Re: Setting up 2 connections - help needed!!
    ... and perhaps one more settings? ... And then what you are seeing is if you make your "work with a Socks 5 proxy ... server" active the "home" connection with just the first line check in the ... > I've set up Home as a straight Interent connection under "WORK" - it does ...