1. Patent Search
  2. Details

System and method for enabling secure web access

20230122746 · 2023-04-20

    Inventors

    Cpc classification

    International classification

    Abstract

    The present invention relates to networking technologies, specifically the disclosed invention enables clients or customers to anonymously access web using a privately held web device. Generally, web client identity hiding has multiple commercial usages in internet community such as protecting computer privacy, facilitating web scrapping activities and allowing geo-blocking bypass. The object of the present invention is to hide web identity that further requires hiding of a web client IP address. IP address used to uniquely identify a web client. The present invention addresses some of the problems of hiding internet (IP) identity by enabling hiding of identity using approach that is an alternative to a Virtual Private Network (VPN) method. Specifically, the disclosed invention provides a web service, that hides internet (IP) identity and geo location of a web client or customer from an operator/owner of a website.

    Claims

    1. A method of enabling secure web access, wherein the method comprising steps of: customer sending a standard HTTP/S connect request defined by W3C committee that contains domain/IP address of destinated WEB service (Host HTTP header) and customer name (Proxy-Authorization HTTP header); receiving the HTTP/S request at the service that use HTTP to AMQP converter do obtain the customer identification and converting it using one-function to hide a true identity of an originator; translating the data using the AMQP converter in Proxy Authorization HTTP header to a AMQP queue destination wherein the customer ID can also include a desired geo of a middle and if provided, the queue name adjusted to include geo code and the HTTP payload is converted to AMQP message payload; adding domain information in Host HTTP header to AMQP message metadata and sending together with an AMQP payload 204, sending the AMQP message using the convertor to AMQP broker and message arrives the AMQP broker that matches the routing queue with the queue name routing the message to a queue correspondingly; and queuing one of the AMQP subscribers that are running in a middle device, pulling the message from a queue, obtaining from a metadata the domain/IP of a destination web server and AMQP message payload wherein the pulling of a client arranged in a round robin, so every time message reaches a least one used consumer of a queue.

    2. The method of claim 1, wherein AMQP is specifically used to disconnect between HTTP customers and HTTP servers wherein the said AMQP protocol addressing is not based in IP identity and it implements a different addressing system, and it is not possible to infer the IP identity of a sender from address used in AMQP protocol since AMQP implements scheme of producers/consumers vs peer to peer association implemented in HTTP.

    3. The method of claim 1, wherein using one-way hash function by a HTTP to AMQP converter (HTTP2AMQPC) to produce AMQP token from a customer identity embedded in HTTP Proxy-Authorization header and the AMQP token is used as a name of an AMQP message queue to where, the HTTP2AMQPC sends a HTTP request payload converted to an AMQP message and the one-way crypto function hides the real identity of a customer and cannot be reversed later to learn the identity of a customer.

    4. The method of claim 1, wherein the said messages are exchanged between a network of customers and a network of middles through AMQP message brokers and in result it disconnects the message originator (an HTTP client) to a middle (an AMQP subscriber) by means of a protocol change.

    5. The method of claim 1, wherein using AMQP direct routing to round robin messages between subscribers of a queue, allowing customer to hide their identity behind numerous middles each implementing a role of an AMQP consumer.

    6. The method of claim 1, wherein using a combination of an AMQP token and a geo position of the middle device, wherein the said middle device in some geo region subscribes to the queue that corresponds to their location and sending request to a queue that includes a country code makes the message reach middle devices located in a corresponding country impersonating customer location.

    7. The method of claim 1, wherein redunding the need for a HTTP client in a middle, by employing AMQP metadata that arrives with a message to convey a domain/IP of a targeted web server, wherein the said middle then resolves DNS to IP address and opens a TCP connection to web server using the said IP.

    8. A system for enabling secure web access comprising: a network of customers or clients; at least one HTTP server; an AMQP; a network of middle devices; and at least one web server.

    9. The system of claim 8, wherein the said system is configured to: enable customer to send a standard HTTP/S connect request defined by W3C committee that contains domain/IP address of destinated WEB service (Host HTTP header) and customer name (Proxy-Authorization HTTP header); receive the HTTP/S request at the service that use HTTP to AMQP converter do obtain the customer identification and converting it using one-function to hide a true identity of an originator; translate the data using the AMQP converter in Proxy Authorization HTTP header to a AMQP queue destination wherein the customer ID can also include a desired geo of a middle and if provided, the queue name adjusted to include geo code and the HTTP payload is converted to AMQP message payload; add domain information in Host HTTP header to AMQP message metadata and sending together with an AMQP payload 204, sending the AMQP message using the convertor to AMQP broker and message arrives the AMQP broker that matches the routing queue with the queue name routing the message to a queue correspondingly; and que one of the AMQP subscribers that are running in a middle device, pulling the message from a queue, obtaining from a metadata the domain/IP of a destination web server and AMQP message payload wherein the pulling of a client arranged in a round robin, so every time message reaches a least one used consumer of a queue.

    10. The system of claim 8, wherein AMQP is specifically used to disconnect between HTTP customers and HTTP servers wherein the said AMQP protocol addressing is not based in IP identity and it implements a different addressing system, and it is not possible to infer the IP identity of a sender from address used in AMQP protocol since AMQP implements scheme of producers/consumers vs peer to peer association implemented in HTTP.

    11. The system of claim 8, wherein using one-way hash function by a HTTP to AMQP converter (HTTP2AMQPC) to produce AMQP token from a customer identity embedded in HTTP Proxy-Authorization header and the AMQP token is used as a name of an AMQP message queue to where, the HTTP2AMQPC sends a HTTP request payload converted to an AMQP message and the one-way crypto function hides the real identity of a customer and cannot be reversed later to learn the identity of a customer.

    12. The system of claim 8, wherein the said messages are exchanged between a network of customers and a network of middles through AMQP message brokers and in result it disconnects the message originator (an HTTP client) to a middle (an AMQP subscriber) by means of a protocol change.

    13. The system of claim 8, wherein using AMQP direct routing to round robin messages between subscribers of a queue, allowing customer to hide their identity behind numerous middles each implementing a role of an AMQP consumer.

    14. The system of claim 8, wherein using a combination of an AMQP token and a geo position of the middle device, wherein the said middle device in some geo region subscribes to the queue that corresponds to their location and sending request to a queue that includes a country code makes the message reach middle devices located in a corresponding country impersonating customer location.

    15. A computer-readable storage device having computer-executable instructions stored thereon that, if executed by a computing device, cause the computing device to perform a method comprising steps of: customer sending a standard HTTP/S connect request defined by W3C committee that contains domain/IP address of destinated WEB service (Host HTTP header) and customer name (Proxy-Authorization HTTP header); receiving the HTTP/S request at the service that use HTTP to AMQP converter do obtain the customer identification and converting it using one-function to hide a true identity of an originator; translating the data using the AMQP converter in Proxy Authorization HTTP header to a AMQP queue destination wherein the customer ID can also include a desired geo of a middle and if provided, the queue name adjusted to include geo code and the HTTP payload is converted to AMQP message payload; adding domain information in Host HTTP header to AMQP message metadata and sending together with an AMQP payload 204, sending the AMQP message using the convertor to AMQP broker and message arrives the AMQP broker that matches the routing queue with the queue name routing the message to a queue correspondingly; and queuing one of the AMQP subscribers that are running in a middle device, pulling the message from a queue, obtaining from a metadata the domain/IP of a destination web server and AMQP message payload wherein the pulling of a client arranged in a round robin, so every time message reaches a least one used consumer of a queue.

    16. The device of claim 15, wherein AMQP is specifically used to disconnect between HTTP customers and HTTP servers wherein the said AMQP protocol addressing is not based in IP identity and it implements a different addressing system, and it is not possible to infer the IP identity of a sender from address used in AMQP protocol since AMQP implements scheme of producers/consumers vs peer to peer association implemented in HTTP.

    17. The device of claim 15, wherein using one-way hash function by a HTTP to AMQP converter (HTTP2AMQPC) to produce AMQP token from a customer identity embedded in HTTP Proxy-Authorization header and the AMQP token is used as a name of an AMQP message queue to where, the HTTP2AMQPC sends a HTTP request payload converted to an AMQP message and the one-way crypto function hides the real identity of a customer and cannot be reversed later to learn the identity of a customer.

    18. The device of claim 15, wherein the said messages are exchanged between a network of customers and a network of middles through AMQP message brokers and in result it disconnects the message originator (an HTTP client) to a middle (an AMQP subscriber) by means of a protocol change.

    19. The device of claim 15, wherein using AMQP direct routing to round robin messages between subscribers of a queue, allowing customer to hide their identity behind numerous middles each implementing a role of an AMQP consumer.

    20. The device of claim 15, wherein using a combination of an AMQP token and a geo position of the middle device, wherein the said middle device in some geo region subscribes to the queue that corresponds to their location and sending request to a queue that includes a country code makes the message reach middle devices located in a corresponding country impersonating customer location.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0022] The prior and other objects of this invention, the various features thereof, as well as the invention itself, may be more fully understood from the following description, when read together with the accompanying drawings in which:

    [0023] FIG. 1 diagrammatically visualizes the elements of the system for enabling secure web access.

    [0024] FIG. 2 provides flow diagram describing different steps involved in a method for enabling secure web access.

    DETAILED DESCRIPTION OF THE INVENTION

    [0025] The following detailed description references the accompanying drawings that illustrate specific embodiments in which the invention can be practiced. The embodiments are intended to describe aspects of the invention in sufficient detail to enable those skilled in the art to practice the invention. Other embodiments can be utilized and changes can be made without departing from the scope of the invention. The following detailed description is, therefore, not to be taken in a limiting sense. The scope of the invention is defined only by the appended claims, along with the full scope of equivalents to which such claims are entitled.

    [0026] In this description, references to “one embodiment,” “an embodiment,” or “embodiments” mean that the feature or features being referred to are included in at least one embodiment of the technology. Separate references to “one embodiment,” “an embodiment,” or “embodiments” in this description do not necessarily refer to the same embodiment and are also not mutually exclusive unless so stated and/or except as will be readily apparent to those skilled in the art from the description. For example, a feature, structure, act, etc. described in one embodiment may also be included in other embodiments, but is not necessarily included. Thus, embodiments of the invention can include a variety of combinations and/or integrations of the embodiments described herein.

    [0027] Turning to the figures and specifically FIG. 1, one embodiment of the present invention discloses a system for enabling secure web access, wherein the system comprising a network of customers or clients, at least one HTTP server, an AMQP, a network of middle devices and at least one web server. Now referring to FIG. 2 that provides flow diagram describing the method of enabling secure web access, wherein the method comprises steps of customer sending a standard HTTP/S connect request defined by W3C committee that contains domain/IP address of destinated WEB service (Host HTTP header) and customer name (Proxy-Authorization HTTP header) 201, receiving the HTTP/S request at the service that use HTTP to AMQP converter do obtain the customer identification and converting it using one-function to hide a true identity of an originator 202, translating the data using the AMQP converter in Proxy Authorization HTTP header to a AMQP queue destination wherein the customer ID can also include a desired geo of a middle and if provided, the queue name adjusted to include geo code and the HTTP payload is converted to AMQP message payload 203, adding domain information in Host HTTP header to AMQP message metadata and sending together with an AMQP payload 204, sending the AMQP message using the convertor to AMQP broker and message arrives the AMQP broker that matches the routing queue with the queue name routing the message to a queue correspondingly 205, and queuing one of the AMQP subscribers that are running in a middle device, pulling the message from a queue, obtaining from a metadata the domain/IP of a destination WEB server and AMQP message payload wherein the pulling of a client arranged in a round robin, so every time message reaches a least one used consumer of a queue 206.

    [0028] In another embodiment of the present invention, a computer-readable storage device having computer-executable instructions stored thereon that, if executed by a computing device, cause the computing device to perform a method comprising steps of: customer sending a standard HTTP/S connect request defined by W3C committee that contains domain/IP address of destinated WEB service (Host HTTP header) and customer name (Proxy-Authorization HTTP header); receiving the HTTP/S request at the service that use HTTP to AMQP converter do obtain the customer identification and converting it using one-function to hide a true identity of an originator; translating the data using the AMQP converter in Proxy Authorization HTTP header to a AMQP queue destination wherein the customer ID can also include a desired geo of a middle and if provided, the queue name adjusted to include geo code and the HTTP payload is converted to AMQP message payload; adding domain information in Host HTTP header to AMQP message metadata and sending together with an AMQP payload 204, sending the AMQP message using the convertor to AMQP broker and message arrives the AMQP broker that matches the routing queue with the queue name routing the message to a queue correspondingly; and queuing one of the AMQP subscribers that are running in a middle device, pulling the message from a queue, obtaining from a metadata the domain/IP of a destination web server and AMQP message payload wherein the pulling of a client arranged in a round robin, so every time message reaches a least one used consumer of a queue.

    [0029] In the same embodiment of the present invention, use of an Advanced Message Queuing Protocol (e.g., AMQP) to disconnect between HTTP customers and HTTP servers is disclosed. The AMQP protocol addressing is not based in IP identity and it implements a different addressing system. It is not possible to infer the IP identity of a sender from address used in AMQP protocol since AMQP implements scheme of producers/consumers vs peer to peer association implemented in HTTP.

    [0030] In the same embodiment of the present invention, using one-way hash function by a HTTP to AMQP converter (aka HTTP2AMQPC) to produce AMQP token from a customer identity embedded in HTTP Proxy-Authorization header is disclosed. The AMQP token is used as a name of an AMQP message queue to where, the HTTP2AMQPC sends a HTTP request payload converted to an AMQP message. The one-way crypto function hides the real identity of a customer and cannot be reversed later to learn the identity of a customer

    [0031] In the same embodiment of the present invention, messages are exchanged between a network of customers and a network of middles through AMQP message brokers. In result it disconnects the message originator (an HTTP client) to a middle (an AMQP subscriber) by means of a protocol change

    [0032] In the same embodiment of the present invention, using AMQP direct routing to round robin messages between subscribers of a queue, allowing customer hide its identity behind numerous middles each implementing a role of an AMQP consumer

    [0033] In the same embodiment of the present invention, using a combination of an AMQP token and a geo position of a middle is disclosed. A middle device in some geo region subscribes to the queue that corresponds to their location. For example, to name a queue, use combination of name and country code. Sending request to a queue that includes a country code makes the message reach middles located in a corresponding country impersonating customer location.

    [0034] In the same embodiment of the present invention, redunding the need for a HTTP client in a middle device is provided, by employing AMQP metadata that arrives with a message to convey a domain/IP of a targeted web server. A middle device then resolves DNS to IP address and opens a TCP connection to web server using this IP.

    [0035] The methods disclosed herein may be implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g., in a machine readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers. A computer program can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.

    [0036] The present invention is described above with reference to a preferred embodiment. However, those skilled in the art will recognize that changes and modifications may be made in the described embodiment without departing from the nature and scope of the present invention. To the extent that such modifications and variations do not depart from the spirit of the invention, they are intended to be included within the scope thereof.