HTTP

The hypertext Transfer Protocol is a protocol used mainly too access data on the world wide web.

HTTP functions as a combination of FTP and SMTP. Similar to FTP. HTTP is like SMTP because the data transferred between server

and client. Unlike SMTP it is not readable by the humans. SMTP messages first stored and then delivered but in HTTP

messages delivered immediately.

Continued….

The command from the client to server are embedded in a request message.

The contents of the requested file or other information are embedded in a response message.

HTTP uses the well known port 80.

Messages

The format of the request and response messages are similar. A request message consists of a request line, a header, and

sometimes a body. A response message consists of a status line, a header, and

sometimes a body.

HTTP Transaction

Client Server

Request

Response

Request and Response messages Request message Response Message

Request line

Headers

Blank line

Body(present only in some messages)

Status line

Headers

Blank line

Body(present only in some messages)

Request and status lines

Request line

Request type URL HTTP version

Status line

HTTP version Status code Status pharse

Request fields

Request type:- this field is used in the request message. The request type is categorized into methods…

GET:- request a document from the server. Head:- request the information about a document but not the

document itself. Post :-sends some info from the client to the server. Put :- sends a document from the server to the client. Trace :- echoes the incoming request. Option :- inquiries about available options. Connect :- reserved.

Continued…

URL:- the uniform resource locater. i.e http:\\www.google.com

version:- the version of http. The most current version of http is1.1.

Response fields

Version:- the version of http. The most current version of http is1.1.

Status code:- consists on 3 digit.

100-- informational

200---- successful request

300---- redirect the client to another URL

400-- indicates error at the client side.

500--- indicates error at the server side.

Continued…..

Status phrase:- explain the status code in text from.

Codes fall into five general categories 100-199

Codes in the 100s are informational, indicating that the client should respond with some other action.

200-299 Values in the 200s signify that the request was successful.

300-399 Values in the 300s are used for files that have moved and usually include a Location

header indicating the new address. 400-499

Values in the 400s indicate an error by the client. 500-599

Codes in the 500s signify an error by the server.

Header

The header exchanges the additional information between the client and server.

For example the client can request that the document be sent in a special format or the server can send extra information about the document.

The header can consists of one or more header lines. Each header line has a header name , a colon , a space and a header value.

4 categories of header lines.

a:- general header

b:- request header

c:- response header

d:- entity header.

Continued…

The request message can contain only general, request and entity headers.

The response message can contain only general, response and entity headers.

Header format

Header name : Header value

General header

The general header gives general information about the message and can be present in a both request and response. Cache control:- specifies information about caching. Connection:- shows whether the connection is open or closed. Date:- shows the current date. Etc etc

Request header

The request header can be present only in a request message. It specifies the client’s configuration and client’s preferred document format. Accept :- shows the medium format the client can accept. Host :- shows the host and port number of the user. Form :- shows the email address of the user. Etc etc

Response header

The response header can be present only in a response message. It specifies the server’s configuration and special information about the request. Server :- shows the server name and version number. Accept-range :- shows if server accepts the range requested by client. Public :- shows the supported list of methods. Etc etc

Entity header

The entity header gives information about the body of the document. Mostly it present in response message although it present in some request messages as well. Allow :- lists valid methods that can be used with a URL. Location :- specifies the location of the created or moved document. Expires :- gives the date and time when the contents may change. Etc

etc

Body

The body can be present in a request or response message. Usually it contains the document to be sent or received.

Example :-

Response

HTTPS

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol (HTTP) with the SSL/TLS protocol.

It provides encrypted communication to prevent eavesdropping and to securely identify the web server with which you are actually communicating.

Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems.

In the late 2000s and early 2010s, HTTPS has began to see widespread use for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and browsing history private.

Continued…

While connecting to a website, HTTPS makes it possible to know whether you are talking to the right server and protects from passive and active network attacks such as Man-in-the-middle attacks.

How it works???

when a client sends an HTTPS request, the entire request is encrypted, including the URL. However the hostname and port of the URL are visible to an eavesdropper because this information is also present in the TCP/IP packets to establish and maintain the connection.

This means that an eavesdropper can see the sites you connect to, the amount of time you spend using a site, and the amount of information you upload or download on the particular site.

However, the entire HTTPS request, including the URL path and query parameters, can only be decrypted by the destination site or by an interposing intermediary that terminates the HTTPS connection on behalf of the site.

Browser integration

Most browsers display a warning if they receive an invalid certificate. Older browsers, when connecting to a site with an invalid certificate, would present the user with a dialog box asking if they wanted to continue. Newer browsers display a warning across the entire window.

Difference from HTTP

HTTPS URLs begin with "https://" and use port 443 by default, whereas HTTP URLs begin with "http://" and use port 80 by default.

Conclusion

HTTP is insecure and is subject to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information. HTTPS is designed to withstand such attacks and is considered secure against such attacks (with the exception of older deprecated versions of SSL).