HTTP

The hypertext Transfer Protocol is a protocol used mainly too access data on the world wide web. HTTP functions as a combination of FTP and SMTP. Similar to FTP. HTTP is like SMTP because the data transferred between server and client. Unlike SMTP it is not readable by the humans. SMTP messages first stored and then delivered but in HTTP messages delivered immediately.

Continued.

The command from the client to server are embedded in a request message. The contents of the requested file or other information are embedded in a response message. HTTP uses the well known port 80.

Messages

The format of the request and response messages are similar. A request message consists of a request line, a header, and sometimes a body. A response message consists of a status line, a header, and sometimes a body.

HTTP Transaction

Client

Server

Request

Response

Request and Response messages

Request message

Response Message

Request line Headers Blank line Body (present only in some messages)

Status line Headers Blank line Body (present only in some messages)

Request and status lines

Request line
Request type URL HTTP version

HTTP version

Status code

Status pharse

Request fields

Request type:- this field is used in the request message. The request type is categorized into methods GET:- request a document from the server. Head:- request the information about a document but not the document itself. Post :-sends some info from the client to the server. Put :- sends a document from the server to the client. Trace :- echoes the incoming request. Option :- inquiries about available options. Connect :- reserved.

Continued

URL:- the uniform resource locater.

i.e http:\\www.google.com

version:- the version of http. The most current version of http

is1.1.

Response fields

Version:is1.1.

the version of http. The most current version of http

Status code:- consists on 3 digit.

100-- informational 200---- successful request 300---- redirect the client to another URL 400-- indicates error at the client side. 500--- indicates error at the server side.

Continued..

Status phrase:- explain the status code in text from. Codes fall into five general categories

100-199

Codes in the 100s are informational, indicating that the client should respond with some other action. Values in the 200s signify that the request was successful. Values in the 300s are used for files that have moved and usually include a Location header indicating the new address. Values in the 400s indicate an error by the client. Codes in the 500s signify an error by the server.

200-299

300-399

400-499

500-599

Header

The header exchanges the additional information between the client and server. For example the client can request that the document be sent in a special format or the server can send extra information about the document. The header can consists of one or more header lines. Each header line has a header name , a colon , a space and a header value. 4 categories of header lines. a:- general header b:- request header c:- response header d:- entity header.

Continued

The request message can contain only general, request and entity headers. The response message can contain only general, response and entity headers.

Header format

Header name

Header value

General header

The general header gives general information about the message and can be present in a both request and response.

Cache control:- specifies information about caching. Connection:- shows whether the connection is open or closed. Date:- shows the current date. Etc etc

Request header

The request header can be present only in a request message. It specifies the clients configuration and clients preferred document format.

Accept :- shows the medium format the client can accept. Host :- shows the host and port number of the user. Form :- shows the email address of the user. Etc etc

Response header

The response header can be present only in a response message. It specifies the servers configuration and special information about the request.

Server :- shows the server name and version number. Accept-range :- shows if server accepts the range requested by client. Public :- shows the supported list of methods. Etc etc

Entity header

The entity header gives information about the body of the document. Mostly it present in response message although it present in some request messages as well.

Allow :- lists valid methods that can be used with a URL. Location :- specifies the location of the created or moved document. Expires :- gives the date and time when the contents may change. Etc etc

Body

The body can be present in a request or response message. Usually it contains the document to be sent or received. Example :-

Response

HTTPS

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol (HTTP) with the SSL/TLS protocol. It provides encrypted communication to prevent eavesdropping and to securely identify the web server with which you are actually communicating. Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems. In the late 2000s and early 2010s, HTTPS has began to see widespread use for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and browsing history private.

Continued

While connecting to a website, HTTPS makes it possible to know whether you are talking to the right server and protects from passive and active network attacks such as Man-in-the-middle attacks.

How it works???

when a client sends an HTTPS request, the entire request is encrypted, including the URL. However the hostname and port of the URL are visible to an eavesdropper because this information is also present in the TCP/IP packets to establish and maintain the connection. This means that an eavesdropper can see the sites you connect to, the amount of time you spend using a site, and the amount of information you upload or download on the particular site. However, the entire HTTPS request, including the URL path and query parameters, can only be decrypted by the destination site or by an interposing intermediary that terminates the HTTPS connection on behalf of the site.

Browser integration

Most browsers display a warning if they receive an invalid certificate. Older browsers, when connecting to a site with an invalid certificate, would present the user with a dialog box asking if they wanted to continue. Newer browsers display a warning across the entire window.

Difference from HTTP

HTTPS URLs begin with "https://" and use port 443 by default, whereas HTTP URLs begin with "http://" and use port 80 by default.

Conclusion

HTTP is insecure and is subject to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information. HTTPS is designed to withstand such attacks and is considered secure against such attacks (with the exception of older deprecated versions of SSL).