HTTP/HTTPS Amit Kumar Singh Image: Danilo Rizzuti / FreeDigitalPhotos.net
HTTP/HTTPS
Amit Kumar Singh
Image: Danilo Rizzuti / FreeDigitalPhotos.net
HTTPHyperText Transfer Protocol
Invented by Tim Berners-Lee
An Application Layer Protocol
For Distributed, Collaborative and Hypermedia information systems
Client Server model.
Reliable protocol Works on Top of TCP protocol
Default Port 80
Is Stateless
Request/Response Model
The Client sends Request to the server for a Resource
Resource located by its URL <scheme>://<host>:<port>/<resource path> Eg: http://www.google.com/
Server sends Response back to the client along with Acknowledgment code
Request and Response messages are in plain text
HTTP Request
Comprised of Request Line, HTTP header, HTTP Body(optional)
Eg: GET /Index.html HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Sample Application Host: www.google.com
Request Line: <HTTP Method> <resource path> <HTTP
Version>
GET /path/to/file/index.html HTTP/1.1
HTTP Request : HTTP Methods
GET HEAD POST PUT DELETE TRACE CONNECT OPTIONS PATCH
HTTP Request : Headers Accept: text/html,text/plain,image/jpeg;
charset=ISO-8859-1 Accept-Language: en Accept-Encoding: gzip, deflate Connection: Keep-Alive Referer: http://www.w3.org/index.html Host: www.google.com Cookie: id=105; Skin=new User-Agent: Mozilla/4.0(Compatible; MSIE 6.0;
Windows NT 5.0)
HTTP ResponseConsists of Status Line, Headers, and
Body(optional)HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Content-Location: http://www.microsoft.com/default.htm
Date: Tue, 25 Jun 2009 19:33:18 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Mon, 24 Jun 2002 20:27:23 GMT
Content-Length: 26812
<html>
----
<html>
HTTP Response: Status Codes 3 digit integer 1xx
informational message 2xx
success of some kind 3xx
redirects the client to another URL 4xx
error on the client's part
• 404 5xx
error on the server's part
HTTP Response : Headers
Cache-Control: no-cache Content-Length: 2748 Content-Type: image/gif Date: Wed, 4 Oct 2004 12:00:00 GMT Expires: -1 WWW-Authenticate: Basic realm="Secure
Area”
HTTP Cookie Text Stored in the client Used for authentication,
user preferences, state management
Set-Cookie: ID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net
All valid cookies are sent back to the server with subsequent requests
Caching
Sits between the Client and the Server. Saves copy of response Further requests can fetch response from
cache Cache-Control:
no-cache /private/ public/ max-age Expires: Fri, 30 Oct 1998 14:19:41 GMT
HTTPS HTTP is insecure!
Subject to man-in-the-middle and eavesdropping attacks
HTTP over TLS or SSL
Uses port 443 by default
Based on Public key cryptography
TLS Handshake Client asks for a connection to the HTTPS
server specifying the highest TLS protocol version it
supports, the a list of Cipher Suites (Cipher and Hash function).
Server responds and selects TLS protocol version and Cipher Suite which the client also supports
Server sends a Certificate to the client for its authentication Certificate contains server name, trusted CA, and
server's Public Key
Client verifies the Certificate and authenticates the Server
If authenticated the client creates a random session key using the Encryption algorithm and encrypts it with the server's public key
The key is sent to the server, the server decrypts the session key using the server's private key.
The client encrypts the message using the session key and sends it to the server
The server decrypts the message using the same session key.
References http://www.faqs.org/rfcs/rfc2616.html
www.en.wikipedia.org
https://www.httpwatch.com/httpgallery
http://condor.depaul.edu/~dmumaugh/readings/handouts/SE435/HTTP/http.pdf
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html