Http and Https
-
Upload
khalidsaeed1025867 -
Category
Documents
-
view
37 -
download
1
description
Transcript of Http and Https
HTTP
The hypertext Transfer Protocol is a protocol used mainly too access data on the world wide web.
HTTP functions as a combination of FTP and SMTP. Similar to FTP. HTTP is like SMTP because the data transferred between server
and client. Unlike SMTP it is not readable by the humans. SMTP messages first stored and then delivered but in HTTP
messages delivered immediately.
Continued….
The command from the client to server are embedded in a request message.
The contents of the requested file or other information are embedded in a response message.
HTTP uses the well known port 80.
Messages
The format of the request and response messages are similar. A request message consists of a request line, a header, and
sometimes a body. A response message consists of a status line, a header, and
sometimes a body.
HTTP Transaction
Client Server
Request
Response
Request and Response messages Request message Response Message
Request line
Headers
Blank line
Body(present only in some messages)
Status line
Headers
Blank line
Body(present only in some messages)
Request and status lines
Request line
Request type URL HTTP version
Status line
HTTP version Status code Status pharse
Request fields
Request type:- this field is used in the request message. The request type is categorized into methods…
GET:- request a document from the server. Head:- request the information about a document but not the
document itself. Post :-sends some info from the client to the server. Put :- sends a document from the server to the client. Trace :- echoes the incoming request. Option :- inquiries about available options. Connect :- reserved.
Continued…
URL:- the uniform resource locater. i.e http:\\www.google.com
version:- the version of http. The most current version of http is1.1.
Response fields
Version:- the version of http. The most current version of http is1.1.
Status code:- consists on 3 digit.
100-- informational
200---- successful request
300---- redirect the client to another URL
400-- indicates error at the client side.
500--- indicates error at the server side.
Continued…..
Status phrase:- explain the status code in text from.
Codes fall into five general categories 100-199
Codes in the 100s are informational, indicating that the client should respond with some other action.
200-299 Values in the 200s signify that the request was successful.
300-399 Values in the 300s are used for files that have moved and usually include a Location
header indicating the new address. 400-499
Values in the 400s indicate an error by the client. 500-599
Codes in the 500s signify an error by the server.
Header
The header exchanges the additional information between the client and server.
For example the client can request that the document be sent in a special format or the server can send extra information about the document.
The header can consists of one or more header lines. Each header line has a header name , a colon , a space and a header value.
4 categories of header lines.
a:- general header
b:- request header
c:- response header
d:- entity header.
Continued…
The request message can contain only general, request and entity headers.
The response message can contain only general, response and entity headers.
Header format
Header name : Header value
General header
The general header gives general information about the message and can be present in a both request and response. Cache control:- specifies information about caching. Connection:- shows whether the connection is open or closed. Date:- shows the current date. Etc etc
Request header
The request header can be present only in a request message. It specifies the client’s configuration and client’s preferred document format. Accept :- shows the medium format the client can accept. Host :- shows the host and port number of the user. Form :- shows the email address of the user. Etc etc
Response header
The response header can be present only in a response message. It specifies the server’s configuration and special information about the request. Server :- shows the server name and version number. Accept-range :- shows if server accepts the range requested by client. Public :- shows the supported list of methods. Etc etc
Entity header
The entity header gives information about the body of the document. Mostly it present in response message although it present in some request messages as well. Allow :- lists valid methods that can be used with a URL. Location :- specifies the location of the created or moved document. Expires :- gives the date and time when the contents may change. Etc
etc
Body
The body can be present in a request or response message. Usually it contains the document to be sent or received.
Example :-
Response
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol (HTTP) with the SSL/TLS protocol.
It provides encrypted communication to prevent eavesdropping and to securely identify the web server with which you are actually communicating.
Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems.
In the late 2000s and early 2010s, HTTPS has began to see widespread use for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and browsing history private.
Continued…
While connecting to a website, HTTPS makes it possible to know whether you are talking to the right server and protects from passive and active network attacks such as Man-in-the-middle attacks.
How it works???
when a client sends an HTTPS request, the entire request is encrypted, including the URL. However the hostname and port of the URL are visible to an eavesdropper because this information is also present in the TCP/IP packets to establish and maintain the connection.
This means that an eavesdropper can see the sites you connect to, the amount of time you spend using a site, and the amount of information you upload or download on the particular site.
However, the entire HTTPS request, including the URL path and query parameters, can only be decrypted by the destination site or by an interposing intermediary that terminates the HTTPS connection on behalf of the site.
Browser integration
Most browsers display a warning if they receive an invalid certificate. Older browsers, when connecting to a site with an invalid certificate, would present the user with a dialog box asking if they wanted to continue. Newer browsers display a warning across the entire window.
Difference from HTTP
HTTPS URLs begin with "https://" and use port 443 by default, whereas HTTP URLs begin with "http://" and use port 80 by default.
Conclusion
HTTP is insecure and is subject to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information. HTTPS is designed to withstand such attacks and is considered secure against such attacks (with the exception of older deprecated versions of SSL).