HTTP

HTTP/HTTPS

Amit Kumar Singh

Image: Danilo Rizzuti / FreeDigitalPhotos.net

HTTPHyperText Transfer Protocol

Invented by Tim Berners-Lee

An Application Layer Protocol

For Distributed, Collaborative and Hypermedia information systems

Client Server model.

Reliable protocol Works on Top of TCP protocol

Default Port 80

Is Stateless

Request/Response Model

The Client sends Request to the server for a Resource

Resource located by its URL <scheme>://<host>:<port>/<resource path> Eg: http://www.google.com/

Server sends Response back to the client along with Acknowledgment code

Request and Response messages are in plain text

HTTP Request

Comprised of Request Line, HTTP header, HTTP Body(optional)

Eg: GET /Index.html HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Sample Application Host: www.google.com

Request Line: <HTTP Method> <resource path> <HTTP

Version>

GET /path/to/file/index.html HTTP/1.1

HTTP Request : HTTP Methods

GET HEAD POST PUT DELETE TRACE CONNECT OPTIONS PATCH

HTTP Request : Headers Accept: text/html,text/plain,image/jpeg;

charset=ISO-8859-1 Accept-Language: en Accept-Encoding: gzip, deflate Connection: Keep-Alive Referer: http://www.w3.org/index.html Host: www.google.com Cookie: id=105; Skin=new User-Agent: Mozilla/4.0(Compatible; MSIE 6.0;

Windows NT 5.0)

HTTP ResponseConsists of Status Line, Headers, and

Body(optional)HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0

Content-Location: http://www.microsoft.com/default.htm

Date: Tue, 25 Jun 2009 19:33:18 GMT

Content-Type: text/html

Accept-Ranges: bytes

Last-Modified: Mon, 24 Jun 2002 20:27:23 GMT

Content-Length: 26812

<html>

----

<html>

HTTP Response: Status Codes 3 digit integer 1xx

informational message 2xx

success of some kind 3xx

redirects the client to another URL 4xx

error on the client's part

• 404 5xx

error on the server's part

HTTP Response : Headers

Cache-Control: no-cache Content-Length: 2748 Content-Type: image/gif Date: Wed, 4 Oct 2004 12:00:00 GMT Expires: -1 WWW-Authenticate: Basic realm="Secure

Area”

HTTP Cookie Text Stored in the client Used for authentication,

user preferences, state management

Set-Cookie: ID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net

All valid cookies are sent back to the server with subsequent requests

Caching

Sits between the Client and the Server. Saves copy of response Further requests can fetch response from

cache Cache-Control:

no-cache /private/ public/ max-age Expires: Fri, 30 Oct 1998 14:19:41 GMT

HTTPS HTTP is insecure!

Subject to man-in-the-middle and eavesdropping attacks

HTTP over TLS or SSL

Uses port 443 by default

Based on Public key cryptography

TLS Handshake Client asks for a connection to the HTTPS

server specifying the highest TLS protocol version it

supports, the a list of Cipher Suites (Cipher and Hash function).

Server responds and selects TLS protocol version and Cipher Suite which the client also supports

Server sends a Certificate to the client for its authentication Certificate contains server name, trusted CA, and

server's Public Key

Client verifies the Certificate and authenticates the Server

If authenticated the client creates a random session key using the Encryption algorithm and encrypts it with the server's public key

The key is sent to the server, the server decrypts the session key using the server's private key.

The client encrypts the message using the session key and sends it to the server

The server decrypts the message using the same session key.

References http://www.faqs.org/rfcs/rfc2616.html

www.en.wikipedia.org

https://www.httpwatch.com/httpgallery

http://condor.depaul.edu/~dmumaugh/readings/handouts/SE435/HTTP/http.pdf

http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html