IE 5.x SSL Through Proxy Server Issue
From: Joe Goldstein (Joe.Goldstein@CLAIMIQ.COM)Date: 03/28/02
- Previous message: Russ: "April Fool's fun"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Mar 2002 08:37:26 -0800 From: Joe Goldstein <Joe.Goldstein@CLAIMIQ.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Summary:
While not exactly a security bug, there is a little know issue with MS IE5.x
that prevents the browser from properly maintaining SSL, connections through
a proxy server. This will usually result in increased page load and
response time to your end users.
Details:
The support for SSL through a proxy server was never implemented in the IE
5.x product line. The crux of the problem is how WININET.DLL handles (or
does not, as it turns out) keep-alives with a proxy server while
communicating over SSL. When downloading a page from a web server, IE5.x
creates a new connection for each object that is being requested instead of
reusing a connection that has already been established (this is the
keep-alive function). After IE5.X finishes receiving the object, it
immediately kills the TCP/IP connection. If there is another object to load
from the web server, it creates a new connection. This carries through for
the entire loading of the web page. This introduces a lot of unnecessary
overhead for each object on the page being loaded, including SSL
verification and negotiation. While this may not be very noticeable for
small pages, this problem becomes more obvious with large pages, especially
pages with many objects. This flaw (or non-feature) can actually increase
page load and response times 2x-3x or more. As an example, we have some
pages that are 150k-200k. When these pages were loaded with SSL and no proxy
server, we saw performance at the client browser of 4-6 seconds. When these
same pages were loaded from the same client, but with SSL requests
configured to use the proxy server, the performance times went to 12-19
seconds.
A side effect of this issue will be noticeable on your IIS (and possibly
other) web servers. Since each connection from the browser is not
terminated correctly, the web server will show multiple resets to the proxy
server. There will be a one to one relationship for number of connection
requests from the browser client to the number of resets on the web server.
Though this is not really a major issue, it could create confusion when
doing troubleshooting on your web server.
This issue has in impact on any IE5.x browser using SSL through almost any
proxy server. The only time this issue is not present is when the browser
is using a 'transparent proxy'. When using a transparent proxy, the browser
is not aware that it is passing through a proxy server to reach the
internet. An example of a transparent proxy server would be Microsoft's ISA
server with each end user's PC running the ISA Firewall Client. In this
instance, since the ISA Firewall Client is handling the connection to the
proxy server, the browser is fooled into thinking it is not using a proxy
server, therefore it is able to utilize SSL with no performance penalty.
Resolution:
Microsoft has been aware of this problem for quite some time, but has just
recently published article Q320037 on the issue. The Microsoft official fix
for this problem is to upgrade to IE6.
Regards
Joe Goldstein
Director Technology Operations, ClaimIQ
joe.goldstein@claimiq.com
- Previous message: Russ: "April Fool's fun"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
