HTTP and HTTPS

12 Key excerpts on "HTTP and HTTPS"

• 

  eBook - ePub

  Microsoft Windows Networking Essentials

  • Darril Gibson(Author)
  • 2011(Publication Date)
  • Sybex

    (Publisher)

  HTTP is different from Hypertext Markup Language (HTML). HTML is the Internet standard for formatting and displaying documents on the Internet.

  Some sites use encryption to protect the data transmission. For example, if you purchase something over the Internet, you’ll provide information such as your name, address, and maybe credit card data. This needs to be protected as it goes over the Internet. HTTP over Secure Sockets Layer (SSL), or HTTPS, provides this protection.

  Figure 4-6: Web browser accessing a web page with the URL

  You can tell whether HTTPS is being used from the URL. Instead of HTTP, it will list it as HTTPS. Additionally, most web browsers include a lock icon somewhere on the page. For example, Internet Explorer 8 shows a lock icon at the end of the URL.

  Encryption protocols scramble data from plain text into cipher text. Nonauthorized users are not able to read the cipher text.

  If HTTPS is not in the URL or the lock icon is not displayed, information you enter and submit to websites can be intercepted and read by eavesdroppers on the Internet. HTTP uses TCP port 80 by default. HTTPS uses TCP port 443. File Transfer Protocol

  File Transfer Protocol (FTP) is used to upload and download files to and from computers on the Internet and within some internal networks. FTP uses TCP for guaranteed delivery of the files.

  You can access FTP from the command prompt from many operating systems such as Windows 7. Get commands can download files, and Put commands upload files. Windows Explorer provides some basic FTP functionality including drag-and-drop features. However, there are applications that make the process much simpler. Figure 4-7 shows an FTP application named FileZilla, which is available for free. It’s easy to use and can manage the upload and download of multiple files at a time.

  Many FTP clients are freely available. You can search on the Internet for download free ftp

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Wireless Mobile Internet Security

  • Man Young Rhee(Author)
  • 2013(Publication Date)
  • Wiley

    (Publisher)

  The Web allows users to view documents that contain text and graphics. The Web grew to be the largest source of Internet traffic since 1994 and continues to dominate, with a much higher growth rate than the rest of the Internet. By 1995, Web traffic overtook FTP to become the leader. By 2001, Web traffic completely overshadowed other applications.

  2.3.1 Hypertext Transfer Protocol (HTTP)

  The protocol used to transfer a Web page between a browser and a Web server is known as HTTP. HTTP operates at the application level. HTTP is a protocol used mainly to access data on the World Wide Web. HTTP functions like a combination of FTP and SMTP. It is similar to FTP because it transfers files, while HTTP is like SMTP because the data transferred between the client and the server looks like SMTP messages. However, HTTP differs from SMTP in the way that SMTP messages are stored and forwarded; HTTP messages are delivered immediately.

  As a simple example, a browser sends an HTTP GET command to request a Web page from a server. A browser contacts a Web server directly to obtain a page. The browser begins with a URL, extracts the hostname section, uses DNS to map the name into an equivalent IP address, and uses the IP address to form a TCP connection to the server. Once the TCP connection is in place, the browser and Web server use HTTP to communicate. Thus, if the browser sends a request to retrieve a specific page, the server responds by sending a copy of the page.

  A browser requests a Web page, and the server transfers a copy to the browser. HTTP also allows transfer from a browser to a server. HTTP allows browsers and servers to negotiate details such as the character set to be used during transfers. To improve response time, a browser caches a copy of each Web page it retrieves. HTTP allows a machine along the path between a browser and a server to act as a proxy server that caches Web pages and answers a browser's request from its cache. Proxy servers are an important part of the Web architecture because they reduce the load on servers.

  In summary, a browser and server use HTTP to communicate. HTTP is an application-level protocol with explicit support for negotiation, proxy servers, caching, and persistent connections.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Codes

  The Guide to Secrecy From Ancient to Modern Times

  • Richard A. Mollin(Author)
  • 2005(Publication Date)
  • Chapman and Hall/CRC

    (Publisher)

  Most commonly, IP is used (see page 199). 4. The Transport Layer : This middle layer is essentially the communications system component of a given protocol. For instance, the TCP protocol discussed on page 199 is one such communications system. Although TCP itself is not cryptographically secure, mechanisms can be used to make it 5.7. Protocol Layers 219 so. For instance, in 1996 the Internet Engineering Task Force (IETF), 5.3 the agency that develops protocol standards for the Internet, formed a committee, the Transport Layer Security (TLS) working group. Their mandate was to to develop a standard for Secure Sockets Layer (SSL) a protocol that originated at Netscape in 1994, and which we will describe in detail in this section. In January 1999, the TLS working group published the TLS protocol. However, TLS is essentially a version of SSL, so we will not describe it here, but rather wait to get the full description of SSL, which is not, in itself, a single protocol, but rather two layers of protocols using TCP to provide a secure connection with WWW browsers . This is an appropriate juncture to explain the Internet terminology that we will be using. For instance, WWW is the acronym for the World Wide Web , which is the information network using HTTP and HTML on Internet host computers. HTTP is the acronym for HyperText Transfer Protocol , which is the protocol used to transfer files from an Internet server onto a browser in order to view that page on the Internet. HTTP is a one-way system in the sense that the contents of a page from the server are downloaded to the computer’s browser for viewing, but files cannot be transferred to the computer’s memory. HTML is the acronym for HyperText Markup Language , which is the text format for WWW pages. Browser is a short form for WWW browser, which is a software application used to locate and display WWW pages. The two most popular browsers are Netscape Navigator and Microsoft Internet Explorer .

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Security+ Study Guide

  • Ido Dubrawsky, Jeremy Faircloth(Authors)
  • 2007(Publication Date)
  • Syngress

    (Publisher)

  Because of this, the same individual components of each protocol apply. As we saw previously with SSL, the data transmitted is encrypted between the client and the server. HTTP/S is the protocol responsible for encryption of traffic from a client browser to a Web server. HTTP/S uses port 443 instead of HTTP port 80.When a URL begins with “https://,” you know you are using HTTP/S. Both HTTP/S and SSL use a X.509 digital certificate for authentication purposes from the client to the server. HTTP/S is often used for secure transmissions over the Internet, such as during online transactions where banking or credit card information is exchanged between a client and server. Because the data is encrypted, it provides protection from eaves-droppers or MITM attacks, which could result in unwanted parties accessing the data. It may also be used on intranets, where secure transmission across an internal network is vital. E XAM W ARNING SSL must be known and understood for the Security+ exam. Remember key items like the port it uses (443) and its basic functionality, as well as aspects related to its successor, TLS. You will also need to remember that HTTP/S is HTTP over SSL and is used for secure Internet transmissions between an SSL enabled server and client. For additional information on www.syngress.com 280 Chapter 5 • Communication Security: Web Based Services SSL, a good resource is the section of VeriSign’s Web site that addresses many aspects of SSL at www.verisign.com/ssl/index.html. TLS As mentioned,TLS is the successor to SSL, and is a newer version that has minor differences to its predecessor.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Content Networking

  Architecture, Protocols, and Practice

  • Markus Hofmann, Leland R. Beaumont(Authors)
  • 2005(Publication Date)
  • Morgan Kaufmann

    (Publisher)

  As a result, many applications will fail, unless they are specifically adapted to avoid the assumption of address transparency. Possible mechanisms to overcome such problems include insertion of applica-tion-level gateways, or having the NAT modify message payloads on the fly. In either case, the mechanism is application-specific and, therefore, not universal. These observations illustrate that the fundamental design principles of the Internet and the resulting dependencies play an important role when introducing new communication mechanisms. This applies in particular to the area of content networking, as several proposed mechanisms touch those fundamental principles. Later chapters will take up these considerations when describing interception proxies or content services provided from inside the network. The Internet, with its fundamental design principles, is the main vehicle for transmitting content between geographically dispersed sites on the Web. The following section touches on how content is transmitted over the Internet by introducing the application-level transfer protocol of the Web—the HTTP. 2.2 Hypertext Transport Protocol—HTTP The HTTP is the lingua franca of the Web. It is an application layer protocol used for the transfer of Web resources, whether these are documents, Web pages, or images. Although designed to be usable over any underlying transport-layer protocol, virtually all implementations of HTTP run on top of the TCP proto-col. HTTP was originally proposed by Tim Berners-Lee in 1990 and evolved fur-ther in two distinct phases—from protocol version 0.9 to version 1.0 over a period of four years, and from version 1.0 to version 1.1 in another four years. 2.2 Hypertext Transport Protocol—HTTP 31 This chapter introduces the key concepts of HTTP based on HTTP/1.0 [RFC 2621]. When extensions of HTTP/1.1 [RFC 2616] are discussed, they will be mentioned explicitly.

  Sign up to read

  Learn more about book
• 

  No longer available |Learn more

  Computing Fundamentals

  IC3 Edition

  • Faithe Wempen(Author)
  • 2014(Publication Date)
  • Wiley

    (Publisher)

  518 Part IV: Connectivity and Communication Put It to Work Identifying Secure Sites When you browse a website that uses the HTTP protocol, everything is transmitted and received in clear text . That means someone using a packet sniffer (discussed in Chapter 16, “Network and Internet Privacy and Security” ) could easily intercept the information . This is okay for normal browsing, but not when carrying out financial trans-actions that involve entering credit card information or other personal details . To prevent criminals from acquiring your information, a secure encrypted connection is required when you are send-ing sensitive data . HyperText Transfer Protocol Secure (HTTPS) provides an encrypted connection between the web browser and the web server . With HTTPS, the two endpoints exchange an encryption key, enabling the encryption of all future communication between them . When a connection uses HTTPS, the URL starts with https:// rather than http:// , as shown . In addition, a padlock appears in the browser’s address bar, and in some browsers the address bar may appear with a green background . A secure connection happens automatically when you log into a secure site; you do not have to do anything special to initiate it . All sites that use HTTPS have a digital certificate that validates them as being trustworthy . This certificate is issued by a third-party certificate authority, such as Verisign . Certificates must be renewed on an annual basis, and can be revoked if questions about the company that holds it arise . To view certificate details for a site that uses HTTPS, click the padlock symbol displayed in the browser’s address bar and choose View Certificates from the menu that appears . 519 Chapter 15: Web Basics Going Back, Going Forward, and Refreshing Suppose that while visiting a website, you’ve clicked several hyperlinks to view many different web pages. Or maybe you’ve viewed additional websites during the same browser session.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  CompTIA Network+ Guide to Networks

  • Jill West(Author)
  • 2021(Publication Date)
  • Cengage Learning EMEA

    (Publisher)

  You’ll also often see the terms used interchange- ably—many times, even when someone says SSL, they’re referring to TLS. As you recall, HTTP uses TCP port 80, whereas HTTPS (HTTP Secure) uses SSL/TLS encryption and TCP port 443 rather than port 80. Other protocols you’ve studied that offer SSL/TLS encrypted alternatives include SMTP TLS, LDAP over SSL, IMAP over SSL, and POP3 over SSL. Each time a client and server establish an SSL/TLS con- nection, they establish a unique session, which is an association between the client and server that is defined by an agreement on a specific set of encryption techniques. The session allows the client and server to continue to exchange data securely as long as the client is still connected to the server. A session is created by a handshake protocol, one of several protocols within SSL/TLS, and perhaps the most significant. As its name implies, the hand- shake protocol allows the client and server to introduce themselves to each other and establishes terms for how they will securely exchange data. This handshake conversation is similar to the TCP three-way handshake you learned about earlier in this module. Given the scenario of a browser accessing a secure website, the SSL/TLS handshake works as follows: Step 1—The browser, representing the client computer in this scenario, sends a client hello message to the web server, which contains information about what level of security the browser is capable of accepting and what type of encryption the browser can decipher. The client hello message also establishes a randomly generated number that uniquely identifies the client and another number that identifies the session. 6 Presentation 7 Application 5 Session 4 Transport 3 Network 2 Data Link 1 Physical Module 4 Protocols 189 Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Innocent Code

  A Security Wake-Up Call for Web Programmers

  • Sverre H. Huseby(Author)
  • 2004(Publication Date)
  • Wiley

    (Publisher)

  With such bugs present, HTTPS is of little use. To conclude this paragraph, HTTPS provides good protection of the communication channel unless: • The user neglects the warnings from the browser. • The browser allows the user to neglect its warnings. • The user falls for cheap domain name or protocol tricks played by an attacker. • The CA may be tricked into giving out false certificates. • The browser vendor trusts a CA that the user wouldn’t trust. • The browser (or server) has a buggy SSL/TLS implementation. • The user’s computer is controlled by an attacker. As all of the above points have already been seen, you may realize that HTTPS is not a magic bullet that solves all problems in the real world. But don’t get me wrong. HTTPS is the best widely available mechanism for securing web traffic at the moment. It makes it much harder to reach or modify secrets that pass across the network. Do You Want to Know More? 19 1.4 Summary HTTP is a simple, text-oriented protocol. Clients connect to servers and send requests, each of which draws a response from the server. Headers are used to control the communication, and to pass cookies. All request headers and data are controlled by the client. An attacker may thus easily pass headers and data after his own liking. Sessions are server-side containers for state information. Attackers may be able to hijack the sessions of other users by getting hold of their session ID. Several measures are available to make session hijacking hard, but the real solution is to keep the session ID a secret. HTTPS protects data that pass between the client and the server. Unfor-tunately, real world implementations of HTTPS are not bulletproof. Many weak links play a part in the game, and some of those links may easily break. 1.5 Do You Want to Know More? The true source for information about HTTP is RFC 2616 [19], which defines the protocol.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  The Web Application Hacker's Handbook

  Finding and Exploiting Security Flaws

  • Dafydd Stuttard, Marcus Pinto(Authors)
  • 2011(Publication Date)
  • Wiley

    (Publisher)

  Chapter 3 Web Application Technologies

  Web applications employ a myriad of technologies to implement their functionality. This chapter is a short primer on the key technologies that you are likely to encounter when attacking web applications. We will examine the HTTP protocol, the technologies commonly employed on the server and client sides, and the encoding schemes used to represent data in different situations. These technologies are in general easy to understand, and a grasp of their relevant features is key to performing effective attacks against web applications.

  If you are already familiar with the key technologies used in web applications, you can skim through this chapter to confirm that it offers you nothing new. If you are still learning how web applications work, you should read this chapter before continuing to the later chapters on specific vulnerabilities. For further reading on many of the areas covered, we recommend HTTP: The Definitive Guide by David Gourley and Brian Totty (O'Reilly, 2002), and also the website of the World Wide Web Consortium at www.w3.org .

  The HTTP Protocol

  Hypertext transfer protocol (HTTP) is the core communications protocol used to access the World Wide Web and is used by all of today's web applications. It is a simple protocol that was originally developed for retrieving static text-based resources. It has since been extended and leveraged in various ways to enable it to support the complex distributed applications that are now commonplace.

  HTTP uses a message-based model in which a client sends a request message and the server returns a response message. The protocol is essentially connectionless: although HTTP uses the stateful TCP protocol as its transport mechanism, each exchange of request and response is an autonomous transaction and may use a different TCP connection.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Internet Infrastructure

  Networking, Web Services, and Cloud Computing

  • Richard Fox, Wei Hao(Authors)
  • 2017(Publication Date)
  • CRC Press

    (Publisher)

  One concern with HTTP is that requests and responses are sent in plain text. As Transmission Control Protocol/Internet Protocol (TCP/IP) is not a secure protocol, plain text communication over the Internet can easily be intercepted by a third party. An HTTP request may include parameter values as part of the URL or cookie information that should be held secure. Such information may include a password, a credit card number, or other confidential data. We cannot modify TCP/IP to handle security, but we can add security to TCP/IP. The HTTPS protocol (which is variably called HTTP over Transport Layer Security [TLS], HTTP over Secure Sockets Layer [SSL], or HTTP Secure) is not actually a single protocol but a combination of HTTP and SSL/TLS. It is SSL/TLS that adds security.

  HTTPS is not really a new protocol. It is HTTP encapsulated within an encrypted stream using TLS (recall that TLS is the successor to SSL, but we generally refer to them together as SSL/TLS). SSL/TLS uses public (asymmetric) key encryption, whereby the client is given the public key to encrypt content, whereas the server uses a private key to decrypt the encrypted content. SSL/TLS issues the public key to the client by using a security certificate. This, in fact, provides two important pieces of information. First is the public key. However, equally important is the identification information stored in the certificate to ensure that the server is trustworthy. Without this, the web browser is programmed to warn the user that the certificate could not be verified, and therefore, the website may not be what it purports to be. Aside from the use of the SSL/TLS to encrypt/decrypt the request and response messages, HTTPS also uses a different default port, 443, rather than the HTTP default port, 80.

  Here, we will focus on the creation of a security certificate using the X.509 protocol. The generation of a certificate is performed in steps. The first step is to generate a private key. The private key is the key that the organization will retain to decrypt messages. This key must be held securely, so that no unauthorized parties can acquire it; otherwise, they could decrypt any message sent to the organization. The private key is merely a sequence of bits. The length of this sequence is determined by the size of the key, such as 128 bits or 256 bits. The larger this number, the harder it is to decrypt an encrypted message by a brute-force decryption algorithm.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Mission Critical Windows 2000 Server Administration

  • Syngress(Author)
  • 2000(Publication Date)
  • Syngress

    (Publisher)

  Securing TCP/IP Connections Solutions in this chapter: Introduction To the uninitiated, TCP/IP is a jumble of meaningless letters as indecipher-able as quantum physics. To the network professional, however, it is the life force of the Internet that drives its organic growth. A few years ago, ubiquitous connectivity would have been considered a computing nirvana. Businesses now share data with partners, allow cus-tomers to access account information, and provide dial-up access to the corporate network for employees. Broadband technologies are delivering high-speed access into homes across the world. Nowadays, we take the connectivity for granted and seek out extra value from the networks that span the globe. For businesses today, it is insufficient to be highly connected. Connectivity on its own is meaningless if a business is to thrive in a competitive world, but secure connectivity— that’s the ticket. In this chapter, we examine several technologies that provide the extra value; that make communication secure across TCP/IP networks. These technologies include Secure Sockets Layer (SSL), Point-to-Point Tunneling Protocol (PPTP), and Layer 2 Tunneling Protocol/Internet Protocol Security (L2TP/IPSec). Each of these provides secure data communication between computers on either a public or a private network. We cover the theory of each technology and its implementation in Windows 2000. Secure Sockets Layer The Secure Sockets Layer (SSL) describes an encryption technology widely used on the Internet to secure Web pages and Web sites. In this section, we take a mile-high view of SSL and discuss the methods used by SSL to encrypt information to keep it secure. Overview of SSL SSL is classified as a Transport layer security protocol, since it secures not only the information generated at the Application layer, but at the Transport layer as well.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Networking Explained

  • Michael Gallo, William M. Hancock PhD CISSP CISM, William M. Hancock, PhD, CISSP, CISM(Authors)
  • 2001(Publication Date)
  • Digital Press

    (Publisher)

  Could you conclude this discussion of HTTP with a description of how a Web page is transferred from server to client? Certainly. Let’s assume that we are browsing Florida Institute of Technology’s Web site and find ourselves at the school’s Office of Graduate Programs Web page, which is found at the URL http://www.fit.edu/AcadRes/graduate. Let’s further assume that we are interested in acquiring information about graduate policies. When we place the browser’s cursor over the Graduate Policies “icon,” note that at the bottom of the browser the URL http://www.fit.edu/AcadRes/graduate/gradpol/index.html appears. This is the URL for the base HTML file that contains the information we seek. Following is a summary of what happens when we click on “Graduate Policies. 1. Your Web client program (i.e., your browser) initiates a network connection to the Web server “www.fit.edu.” We will discuss how such a connection is actu-ally initiated later in the chapter. For now, though, just realize that your client must first establish a network connection to the target Web server before any user data are transferred between the two nodes. This is because HTTP uses TCP as its transport protocol (OSI layer 4) and TCP is a connection-oriented protocol. If you’re quick enough (or if the network is slow enough), you will see at the bottom of your browser the message “Connecting to ww.fit.edu.” 2. When the connection is established, the client sends an HTTP request message similar to the example we gave in Question 45. The request message includes the Request-Line “GET http://www.fit.edu/AcadRes/graduate/gradpol/index.html HTTP/1.1,” which requests that the specified resource be retrieved. Once again, if you are quick enough (or have a slow network connection), you will see at the bottom of your browser the message, “Sending request for AcadRes/graduate/ gradpol/index.html.” 3.

  Sign up to read

  Learn more about book