SUPPORTING SECURE SESSIONS IN A CLOUD-BASED PROXY SERVICE

US 20150229481A1
Filed: 04/21/2015
Published: 08/13/2015
Est. Priority Date: 07/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method in a proxy server, comprising:

receiving a first secure session request from a first client device for a secure session, wherein the first secure session request is received at the proxy server as a result of a DNS (Domain Name System) request for a first domain resolving to the proxy server;

participating in a secure session negotiation with the first client device including transmitting a digital certificate to the first client device, wherein the digital certificate is bound to the first domain and a set of one or more other domains;

receiving a first encrypted request from the first client device for an action to be performed on a resource that is hosted at a first origin server corresponding to the first domain;

decrypting the first encrypted request;

participating in a secure session negotiation with the first origin server including receiving a digital certificate from the first origin server;

encrypting the decrypted request using the received digital certificate from the first origin server; and

transmitting the encrypted request to the first origin server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proxy server in a cloud-based proxy service receives a secure session request from a client device as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.

28 Citations

View as Search Results

21 Claims

1. A method in a proxy server, comprising:
- receiving a first secure session request from a first client device for a secure session, wherein the first secure session request is received at the proxy server as a result of a DNS (Domain Name System) request for a first domain resolving to the proxy server;
  
  participating in a secure session negotiation with the first client device including transmitting a digital certificate to the first client device, wherein the digital certificate is bound to the first domain and a set of one or more other domains;
  
  receiving a first encrypted request from the first client device for an action to be performed on a resource that is hosted at a first origin server corresponding to the first domain;
  
  decrypting the first encrypted request;
  
  participating in a secure session negotiation with the first origin server including receiving a digital certificate from the first origin server;
  
  encrypting the decrypted request using the received digital certificate from the first origin server; and
  
  transmitting the encrypted request to the first origin server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - receiving a second secure session request from a second client device for a secure session, wherein the second request is received at the proxy server as a result of a DNS request for a second domain resolving to the proxy server;
      
      participating in a secure session negotiation with the second client device including transmitting a digital certificate to the second client device that is bound with the second domain and a set of one or more other domains;
      
      receiving a second encrypted request from the second client device for an action to be performed on a resource that is hosted at a second origin server corresponding to the second domain;
      
      decrypting the second encrypted request; and
      
      transmitting the decrypted second request to the second origin server unencrypted.
  - 3. The method of claim 2, wherein the first and second secure session requests do not identify the first and second domains respectively.
  - 4. The method of claim 1, wherein participating in the secure session negotiation with the first origin server includes transmitting a Transport Layer Security (TLS) client hello message that identifies the first domain.
  - 5. The method of claim 1, wherein the domains bound to the digital certificate transmitted to the first client device each share a root domain.
  - 6. The method of claim 1, wherein the domains bound to the digital certificate transmitted to the first client device are each owned or operated by a same domain owner.
  - 7. The method of claim 1, wherein the domains bound to the digital certificate transmitted to the first client device each host content in a same category of content.

8. A non-transitory computer-readable storage medium that provides instructions that, when executed by a processor, causes said processor to perform operations comprising:
- receiving a first secure session request from a first client device for a secure session, wherein the first secure session request is received at the proxy server as a result of a DNS (Domain Name System) request for a first domain resolving to the proxy server;
  
  participating in a secure session negotiation with the first client device including transmitting a digital certificate to the first client device, wherein the digital certificate is bound to the first domain and a set of one or more other domains;
  
  receiving a first encrypted request from the first client device for an action to be performed on a resource that is hosted at a first origin server corresponding to the first domain;
  
  decrypting the first encrypted request;
  
  participating in a secure session negotiation with the first origin server including receiving a digital certificate from the first origin server;
  
  encrypting the decrypted request using the received digital certificate from the first origin server; and
  
  transmitting the encrypted request to the first origin server.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, further comprising instructions, that when executed by the processor, causes said processor to perform the operations comprising:
    - receiving a second secure session request from a second client device for a secure session, wherein the second request is received at the proxy server as a result of a DNS request for a second domain resolving to the proxy server;
      
      participating in a secure session negotiation with the second client device including transmitting a digital certificate to the second client device that is bound with the second domain and a set of one or more other domains;
      
      receiving a second encrypted request from the second client device for an action to be performed on a resource that is hosted at a second origin server corresponding to the second domain;
      
      decrypting the second encrypted request; and
      
      transmitting the decrypted second request to the second origin server unencrypted.
  - 10. The non-transitory computer-readable storage medium of claim 9, wherein the first and second secure session requests do not identify the first and second domains respectively.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein participating in the secure session negotiation with the first origin server includes transmitting a Transport Layer Security (TLS) client hello message that identifies the first domain.
  - 12. The non-transitory computer-readable storage medium of claim 8, wherein the domains bound to the digital certificate transmitted to the first client device each share a root domain.
  - 13. The non-transitory computer-readable storage medium of claim 8, wherein the domains bound to the digital certificate transmitted to the first client device are each owned or operated by a same domain owner.
  - 14. The non-transitory computer-readable storage medium of claim 8, wherein the domains bound to the digital certificate transmitted to the first client device each host content in a same category of content.

15. An apparatus, comprising:
- a set of one or more processors;
  
  a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of processors, cause the set of processors to perform the following operations;
  
  receiving a first secure session request from a first client device for a secure session, wherein the first secure session request is received at the proxy server as a result of a DNS (Domain Name System) request for a first domain resolving to the proxy server;
  
  participating in a secure session negotiation with the first client device including transmitting a digital certificate to the first client device, wherein the digital certificate is bound to the first domain and a set of one or more other domains;
  
  receiving a first encrypted request from the first client device for an action to be performed on a resource that is hosted at a first origin server corresponding to the first domain;
  
  decrypting the first encrypted request;
  
  participating in a secure session negotiation with the first origin server including receiving a digital certificate from the first origin server;
  
  encrypting the decrypted request using the received digital certificate from the first origin server; and
  
  transmitting the encrypted request to the first origin server.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The apparatus of claim 15, wherein the set of non-transitory computer-readable storage mediums further stores instructions, that when executed by the set of processors, cause the set of processors to perform the following operations:
    - receiving a second secure session request from a second client device for a secure session, wherein the second request is received at the proxy server as a result of a DNS request for a second domain resolving to the proxy server;
      
      participating in a secure session negotiation with the second client device including transmitting a digital certificate to the second client device that is bound with the second domain and a set of one or more other domains;
      
      receiving a second encrypted request from the second client device for an action to be performed on a resource that is hosted at a second origin server corresponding to the second domain;
      
      decrypting the second encrypted request; and
      
      transmitting the decrypted second request to the second origin server unencrypted.
  - 17. The apparatus of claim 16, wherein the first and second secure session requests do not identify the first and second domains respectively.
  - 18. The apparatus of claim 15, wherein participating in the secure session negotiation with the first origin server includes transmitting a Transport Layer Security (TLS) client hello message that identifies the first domain.
  - 19. The apparatus of claim 15, wherein the domains bound to the digital certificate transmitted to the first client device each share a root domain.
  - 20. The apparatus of claim 15, wherein the domains bound to the digital certificate transmitted to the first client device are each owned or operated by a same domain owner.
  - 21. The apparatus of claim 15, wherein the domains bound to the digital certificate transmitted to the first client device each host content in a same category of content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
CloudFlare Incorporated
Inventors
Prince, Matthew Browning, Rao, Srikanth N., Holloway, Lee Hahn, Pye, Ian Gerald

Granted Patent

US 10,237,078 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/1441   Countermeasures against mal...

H04L 63/166   at the transport layer

H04L 67/56   Provisioning of proxy servi...

H04L 9/3268   using certificate validatio...

H04W 76/10   Connection setup

SUPPORTING SECURE SESSIONS IN A CLOUD-BASED PROXY SERVICE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SUPPORTING SECURE SESSIONS IN A CLOUD-BASED PROXY SERVICE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links