Http/Https

Introduction of HTTP/HTTPS

• HTTP/HTTPS is the client-server network protocol that has been in use by the World Wide Web since 1990.
• HTTPS stands for Hypertext Transfer Protocol Secure.
• HTTPS is a crucial component of modern web security, ensuring that data transmitted between clients and servers is encrypted and secure.
• Implementing HTTPS involves obtaining and installing a digital certificate and configuring the webserver to use encrypted communications. 

Definition

• Http is a very important application layer (TCP/IP reference model) communication protocol for the transfer of information on the World Wide Web and intranet also.
• Its original purpose was to provide a way to publish and retrieve hypertext pages over the Internet i.e. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.  
• It is an extension of HTTP and uses encryption to secure data transmitted over the internet. HTTPS is widely used to protect the integrity and confidentiality of user data, particularly during online transactions, data transfers, and communications.

Features

• HTTP stands for “Hyper Text Transfer Protocol“.
• HTTPS stands for “Hyper Text Transfer Protocol secure“.
• This protocol works on Port Number 80, by default.
• HTTP is a text-based protocol i.e. requests and responses are sent and received in the form of message/text format.
• HTTP is considered as a stateless protocol. This is because each transaction is independent of the previous transaction and the TCP connection between the client and the server is established for every page i.e. it does not remember anything about the previous request hence it makes the Web simple.
• HTTP is the underlying protocol used by the World Wide Web.
• HTTP is not constrained to using the TCP/IP reference model and its supporting layers during its functioning, although this is its most popular application on the Internet. Indeed HTTP can be implemented on top of any other protocol on the Internet, or on other networks.
• HTTP uses TCP and not UDP, because much data must be sent reliably with a connection-oriented technique for a webpage, and also TCP provides all the types of related transmission control during the process, presents the data in order, and provides error correction.
• HTTPS
  • Although, http is powerful and flexible but is not suitable for use in a wide range of applications because it can be so easily monitored and replayed by attackers. Hence, the Secure Sockets Layer (SSL) was designed to encrypt any TCP/IP-based network traffic and provide the following security capabilities:
    • Prevents eavesdropping
    • Prevents tampering or replaying of messages
    • Uses certificates to authenticate servers and optionally clients

Thus, this protocol is similar to HTTP but includes an encrypted SSL security concept. When we use HTTP/HTTPS session is created, there is some additional overhead is required i.e. the client and server need to create a shared secret key by using a public/private key handshake. But once the connection is set it works exactly like HTTP and has the same capabilities like headers, cookies, caching, authentication, redirection, etc.

Benefits of HTTPS

• Security: It encrypts data to protect sensitive information from eavesdropping and tampering.
• Trust: It increases user trust by ensuring that they are communicating with the legitimate server.
• SEO Advantage: Search engines like Google give preference to HTTPS websites, which can improve search engine rankings.
• Data Integrity: It ensures that the data sent between the client and server is not altered or corrupted.

Components of HTTPS

• Encryption: HTTPS uses Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL), to encrypt data between the client (such as a web browser) and the server. This prevents eavesdroppers from reading the data while it is in transit.
• Data Integrity: HTTPS ensures that the data sent between the client and the server is not tampered with or altered during transmission. This is achieved through cryptographic checksums and digital signatures.
• Authentication: HTTPS uses digital certificates to authenticate the server to the client. This helps verify that the client is communicating with the intended server and not an imposter.

Working Mechanism

• SSL/TLS Handshake: When a client (e.g., a web browser) connects to a server via HTTPS, the SSL/TLS handshake process begins. This involves the client and server exchanging cryptographic keys and establishing a secure connection.
• Server Authentication: The server presents its digital certificate to the client. The certificate contains the server’s public key and is issued by a trusted certificate authority (CA). The client verifies the certificate’s validity.
• Session Key Generation: After the server is authenticated, both the client and server generate a session key using the server’s public key. This session key is used to encrypt the data during the session.
• Secure Data Transmission: Once the secure connection is established, data transmitted between the client and the server is encrypted using the session key.
• Briefly, we can say that whenever we surf the web and enter a URL in the web browser, our browser will send HTTP request messages using HTTP commands for HTML pages, images, scripts, and styles sheets stored on the web server. Now, Web servers finally handle these requests, process them, and then return them as response messages that contain the requested resource/information.
• The commands from the client’s browser are embedded in a request message. The contents of the request message are now embedded in a response message. HTTP uses the services of TCP at port 80.
• HTTP is a request/response standard between a client and a server in a network where a client is the end-user and the server is the website. The client making an HTTP request – using a web browser, or other end-user tool – is referred to as the user agent. The responding server – which stores or creates resources such as HTML files and images – is called the origin server. Thus, in between the user agent and the origin server may be several intermediaries, such as proxies, gateways, and tunnels.
• Typically, an HTTP client initiates a request. It establishes a Transmission Control Protocol (TCP) connection to a particular port on a host (port 80 by default). Then, an HTTP server listening on that port waits for the client to send a request message. Upon receiving the request, the server sends back a status line, such as “HTTP/1.1 200 OK”(1.1=version, 200= request id, OK=status), and a message of its own, the body of which is perhaps the requested file, an error message, or some other information.

Structure

• Http consists of a header and body part. The header includes different control information such as status codes, caches, cookies, methods, redirection, compression, encoding, authentication, etc.
• Http starts work using request messages and completes work using response messages. These formats include –

HTTP Request Message

The HTTP request message has a simple text-based structure. The typical request message sent by a browser for a particular web page may include –

The first line of the message, known as the request line, contains:

• • The HTTP method
  • The relative URL of the resource or a full URL
  • The version of HTTP that is being used. Most modern HTTP clients and servers will use HTTP version 1.1.

The rest of the message consists of a set of name/value pairs, known as headers.  HTTP clients use header values to control how the request is processed by the server. For example, the Accept-Encoding header indicates that the browser can handle content compressed using the gzip or deflate algorithms.

HTTP Response Message

The web server’s response message has a similar structure, but is followed by the contents of the HTML page:

<!DOCTYPE html>  <html>…

The first line, or status line, returns a status code from the server that indicates whether the request was successful. The value 200 is returned if the request was processed correctly and the content is being returned to the client.

The next eight lines of text contain header values that describe the data and how it is being returned to the client. For example, Content-Type has the value text/html because the page is in HTML format. The response headers are terminated with a double CRLF (carriage return, line feed) and are followed by the contents of the requested resource.

Images are not directly embedded into web pages. Instead, they are specified as separate resources using HTML <img> tags:

<img src=”images/logo.gif” width=”50″ height=”50″>Whenever the browser encounters a <img> tag, it checks to see if it has a valid copy of the image either loaded in memory or saved in its cache. If no suitable match is found, it sends out another HTTP request to retrieve it. This means that a web page

Methods of HTTP

There are the following common methods used in http operation –

The GET method

• • • The GET method is used to retrieve information from a specified URI/URL and is assumed to be a safe, repeatable operation by browsers, caches, etc.
    • One downside of GET requests is that they can only supply data in the form of parameters encoded in the URI/URL or as cookies in the cookie request header.
    • GET cannot be used for uploading files or other operations that require large amounts of data to be sent to the server.

The POST method

• • • The POST method is used for operations that have side effects and cannot be safely repeated.
    • The POST request message has a content body that is normally used to send parameters and data.
    • Here, there is no upper limit on the amount of data that can be sent and POST must be used if files or other variable-length data has to be sent to the server.