Wednesday, 24 April 2013

HTTP and HTTPS





In this short article I will talk a little bit about the HTTP and HTTPS protocols. HTTP stands for Hypertext Transfer Protocol and basically every web request (typing a site's URL in a browser such as Internet Explorer) is done using this protocol. HTTP uses the client-server model in which a client requests something from the server and the server responds with the desired request. You can visualize this protocol as a collection of hyperlinks interconnected. You can learn a lot of things about the functionality of the client-server model by reading my networking fundamentals articles. HTTP uses port 80, if you request a a web content on a different port other than 80, your request will not be routed throughout the Internet. Have you ever seen that even if you type for example ittrainingday.com, your request is automatically redirected to http://ittrainingday.com ? (any request by default is an HTTP request). When you specify a HTTPS request, by default, the port used is 443. We will talk in a second about the main differences between these two protocols. The requests that HTTP can fulfill are the following (taken from Wikipedia http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol):


"GET
Requests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect. (This is also true of some other HTTP methods.)[1] The W3C has published guidance principles on this distinction, saying, "Web application design should be informed by the above principles, but also by the relevant limitations." See safe methods below.
HEAD
Asks for the response identical to the one that would correspond to a GET request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire content.
POST 
Requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI. The data POSTed might be, as examples, an annotation for existing resources; a message for a bulletin board, newsgroup, mailing list, or comment thread; a block of data that is the result of submitting a web form to a data-handling process; or an item to add to a database.
PUT
Requests that the enclosed entity be stored under the supplied URI. If the URI refers to an already existing resource, it is modified; if the URI does not point to an existing resource, then the server can create the resource with that URI.
DELETE
Deletes the specified resource.
TRACE
Echoes back the received request so that a client can see what (if any) changes or additions have been made by intermediate servers.
OPTIONS
Returns the HTTP methods that the server supports for specified URL. This can be used to check the functionality of a web server by requesting '*' instead of a specific resource.
CONNECT
Converts the request connection to a transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy.
PATCH
Is used to apply partial modifications to a resource.
HTTP servers are required to implement at least the GET and HEAD methods and, whenever possible, also the OPTIONS method.
   How a browser is requesting a webpage is a different topic, but if you are really interested, you can check out my IIS tutorials in which I've described how web servers work (at least Microsoft's web-hosting service or IIS). If you've read my networking articles you already know the TCP/IP and the OSI models and how everything is layered. HTTP is a layer 7 concept (Application layer). This protocol is responsible for displaying information so that it can be interpreted by the user.
   HTTPS stands for Hypertext Transfer Protocol Secure, is a concept that uses HTTP and SSL when sending and receiving data. By adding the SSL protocol, HTTPS ensures that information sent between the client and the server is not intercepted. SSL or Secure Sockets Layer is a protocol used to encrypt information sent over the public Internet. I will not talk much about this protocol, you will have to know that it provides three main features: authentication, integrity and confidentiality. Authentication is made using asymmetric cryptography with a public and a private key (these keys are exchanged between the client and the server). Confidentiality is made using symmetric encryption and message integrity is done using message authentication codes. You can browse a little on Google to find out more about these mechanisms.
   The main differences between HTTP and HTTPS are:
The first and most important is that HTTPS is secure while HTTP sends information in plain text.
HTTP uses port 80 while HTTPS uses port 443.
HTTP operates at the application layer while HTTPS works at the transport layer.
The URL is different in these two protcols: https:// and http://
secure HTTP connection
In a simple HTTP communication, the browser will establish a TCP connection with the server and will send a request for a desired resource. The server will respond with the requested resource and the TCP connection will close. If you want to know how a TCP connection is established or closed, check out my networking fundamentals tutorials. With HTTPS the client must first authenticate and then it will try to establish an encrypted connection using SSL. Only after these steps are complete, the HTTPS transfer can begin. Websites use certificates, signed by a public Certification Authority, to ensure users that the site is trusted. Most browsers will notify users when a website with an untrusted certificate is opened:
website certificate not trusted
   That's about it for this post, I hope you've made a general idea of these two protocols. Leave any comment or question that you have, enjoy your day and stay tuned for more articles to come.


Thanks & Regards,

"Remember Me When You Raise Your Hand For Dua"
Raheel Ahmed Khan
System Engineer
send2raheel@yahoo.com
send2raheel@engineer.com
sirraheel@gmail.com
send2raheel (skype id)

My Blog Spot
http://raheel-mydreamz.blogspot.com/


No comments:

Post a Comment

what is Juice Jacking SCAM

  Juice Jacking is a cybersecurity threat that occurs when cybercriminals manipulate public charging stations, such as USB charging ports in...