HTTP
(Hypertext Transfer Protocol)
- HTTP is often called the protocol of the Internet.
- HTTP received this designation because most Internet traffic is based on HTTP.
- Application Layer, Layer 7
- TCP IP Based Protocol
- Stateless Protocol. - Server does not have to retain info or status about each user for the duration of multiple requests (HTTP Cookies, Server Side Sessions, Variables, URL Rewriting)
- Get or Post Methods
- HTTP: GET, HEADERS, BODY
- Not encrypted.
- When a user requests a Web resource, it is requested using HTTP.
·
The following is a Web
request: http://www.example.com
o When a client enters this address into a Web browser, DNS is
called to resolve the Fully Qualified Domain Name (FQDN) to an IP address.
o When the address is resolved, an HTTP get request is sent to
the Web server.
o The Web server responds with an HTTP send response. Such
communication is done several times throughout a single session to a Web site.
HTTP uses TCP for communication between clients and servers. HTTP operates on
port 80.
HTTPS
(Hypertext Transfer Protocol Secure)
- HTTP is for Web sites using additional security features such as certificates.
- HTTPS is used when Web transactions are required to be secure.
- "HTTPS" is supposed to mean "HyperText Transfer Protocol Secure",
- "HTTPS" is better thought of as "HTTP with an S that means SSL". Other protocol acronyms have been built the same way, e.g. SMTPS, IMAPS, FTPS... all of them being a bare protocol that "got secured" by running it within some SSL/TLS.
- HTTPS is HTTP-within-SSL/TLS.
- HTTPS - HTTP OVER TLS
- HTTPS - HTTP OVER SSL
- HTTPS - HTTP SECURE
- HTTPS = HTTP + SSL
- HTTPS = ENCRYPTION + IDENTIFICATION
·
Example: Used in online banking
·
Appearance: lock symbol will
appear
·
Benefit: Encryption and
Authentication
·
Result: Trusted End to End
communicaiton
- Socket oriented protocol .i.e. encrypts a channel
- Any application can be protected .
- SSL (TLS) establishes a secured, bidirectional tunnel for arbitrary binary data between two hosts. HTTP is a protocol for sending requests and receiving answers, each request and answer consisting of detailed headers and (possibly) some content. HTTP is meant to run over a bidirectional tunnel for arbitrary binary data; when that tunnel is an SSL/TLS connection, then the whole is called "HTTPS".
- "SSL" means "Secure Sockets Layer". This was coined by the inventors of the first versions of the protocol, Netscape.
- SSL stands for Secure Sockets Layer and, in short, it's the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details.
- It does this by making sure that any data transferred between users and sites, or between two systems remain impossible to read. It uses encryption algorithms
- "TLS" means "Transport Layer Security". The name was changed to avoid any legal issues with Netscape so that the protocol could be "open and free"
- when you are buying SSL from Symantec you are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption.
- HTTPS uses a certificatebased technology such as VeriSign.
- Certificate-based transactions offer a mutual authentication between the client and the server.
- Mutual authentication ensures the server of the client identity, and ensures the client of the server identity.
- HTTPS, in addition to using certificate-based authentication, encrypts all data packets sent during a session.
- Because of the encryption, confidential user information cannot be compromised.
- To use HTTPS, a Web site must purchase a certificate from a third-party vendor such as VeriSign, CertCo, United States Postal Service, or other certificate providers.
- When the certificate is issued to a Web site from a third-party vendor, the Web site is using trusted communication with the client.
- The communication is trusted because the third party is not biased toward either the Web site or the client.
- To view a certificate during a HTTPS session, simply double-click the lock icon in the lower-right area of the Web browser. HTTPS operates on port 443 and uses TCP for communication.
Symmetric and Asymmetric Encryption
·
1. client requests a
SSL conneciton - SSL Hello msg (Client Hello)
·
2. Server response with
the SSL Certificate(Public key, SSL done) (Server Hello)
·
3. Client validates the
certificate / public key
·
4. Client generates a
symmetric key and transmitts it to server
·
5. SSL Session is
established
- SSL Certificate - Intermediate CA - Root CA
- Firefox - Tools - Security - Certificates.
- TLS - Transport Layer Security / Secure Socket Layer
- Uses public and private keys (PKI) for flexible encryption scheme
- uses asymmetric cryptography for key exchange and thereafter symmetric cryptography for channel encryption
- checks : confidentiality , message integrity and authentication of keys
- SSL Transaction
- Note: it provides the secure connection during transmission not checks the origin and destination
· Secured
connection offers several benefits:
- Safeguarding sensitive data being transferred between browser and server.
- Preventing criminals or any intruder from reading the information transferred.
- Avoiding misuse of vital information like credit card numbers, financial information, addresses and names.
- Safeguarding the information transferred from unwanted modification.
- TLS stands for Transport Layer Security, which is an updated and more secure version of SSL. Just like SSL, TLS provides authentication and data encryption between machines, servers and applications
Information
about the owner contained in a certificate, includes:
- Issued to
- Issued from
- Start date
- Expire date
- Domain name
- Certificate authority name.
DEMONSTRATION: WIRESHARK - DATA - >
FRAMES -> PACKETS
BROWSER.
1. USER ISSUES URL FROM A BROWSER
2. BROWSER SENDS A REQUEST MESSAGE
3. SERVER MAPS THE URL TO FILE
4. SERVER RETURNS A RESPONSE MESSAGE
5. BROWSER FORMATS THE RESPONSE AND DISPLAYS
HTTP REQUEST AND RESPONSE
REQUEST
MESSAGE EXAMPLE: http://www.dbu.edu.et /doc/index.html
into the following request message:
GET /docs/index.html
HTTP/1.1
Host: www.dbu.edu.et
Accept: image/gif, image/jpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)
(blank line)
When this request message reaches the server, the server can
take either one of these actions:
- The server interprets the request received, maps the request into a file under the server's document directory, and returns the file requested to the client.
- The server interprets the request received, maps the request into a program kept in the server, executes the program, and returns the output of the program to the client.
- The request cannot be satisfied, the server returns an error message.
An example of the HTTP response message is as shown:
HTTP/1.1 200 OK
Date: Sun, 18 Oct 2009 08:56:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Sat, 20 Nov 2004 07:16:26 GMT
ETag: "10000000565a5-2c-3e94b66c2e680"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug
<html><body><h1>It
works!</h1></body></html>
The browser receives the response message, interprets the
message and displays the contents of the message on the browser's window
according to the media type of the response (as in the Content-Type response
header). Common media type include "text/plain",
"text/html",
"image/gif",
"image/jpeg",
"audio/mpeg",
"video/mpeg",
"application/msword",
and "application/pdf".
The following shows a sample HTTP request message:
HTTP Response Message
HTTP Request Methods
HTTP protocol defines a set of request methods. A client can use one of these request methods to send a request message to an HTTP server. The methods are:- GET: A client can use the GET request to get a web resource from the server.
- HEAD: A client can use the HEAD request to get the header that a GET request would have obtained. Since the header contains the last-modified date of the data, this can be used to check against the local cache copy.
- POST: Used to post data up to the web server.
- PUT: Ask the server to store the data.
- DELETE: Ask the server to delete the data.
- TRACE: Ask the server to return a diagnostic trace of the actions it takes.
- OPTIONS: Ask the server to return the list of request methods it supports.
- CONNECT: Used to tell a proxy to make a connection to another host and simply reply the content, without attempting to parse or cache it. This is often used to make SSL connection through the proxy.
- Other extension methods.
HTTP
OVER TCP IP.
Uniform Resource
Locator (URL)
A URL (Uniform Resource Locator) is used to uniquely identify
a resource over the web.
URL has the following syntax:
URL has the following syntax:
protocol://hostname:port/path-and-file-name
There are 4 parts in a URL:
- Protocol: The application-level protocol used by the client and server, e.g., HTTP, FTP, and telnet.
- Hostname: The DNS domain name (e.g., www.dbu.edu.et) or IP address (e.g., 192.128.1.2) of the server.
- Port: The TCP port number that the server is listening for incoming requests from the clients.
- Path-and-file-name: The name and location of the requested resource, under the server document base directory.
For example, in the URL http://
www.dbu.edu.et /docs/index.html,
- the communication protocol is HTTP;
- the hostname is www.dbu.edu.et.
- The port number was not specified in the URL, and takes on the default number, which is TCP port 80 for HTTP. The path and file name for the resource to be located is "/docs/index.html".
- Other examples of URL are:
- ftp:// www.dbu.edu.et /docs/test.txt
- mailto:user@ www.dbu.edu.et
- news:soc.culture.Singapore
- telnet:// www.dbu.edu.et /
Success 2xx , OK 200 , CREATED 201 , Accepted 202 , Partial Information 203 , No Response 204 , Error 4xx, 5xx
Bad request 400 , Unauthorized 401 , PaymentRequired 402 , Forbidden 403 , Not found 404 , Internal Error 500
Redirection 3xx, Moved 301 , Found 302 , Method 303 , Not Modified 304
Not implemented 501 , Service temporarily overloaded 502 (TO BE DISCUSSED) , Gateway timeout 503 (TO BE DISCUSSED)
HTTPS RESPONSE.
import java.io.*;
import java.net.*;
class HTTPRES
{
public static void main
(String args[]) throws Exception
{
// to retrieve the
contents of this webpage
URL url = new
URL("http://google.com");
HttpURLConnection
connection = (HttpURLConnection)url.openConnection();
// a connection is
made
connection.setRequestMethod("GET");
connection.connect();
// to get response
code
int code = connection.getResponseCode();
//print the response
code
System.out.println("Response code of the object is "+code);
//response code 200 =
ok
if (code==200)
{
System.out.println("OK");
}
}
}
OUTPUT
Response code of the object is 200
OK
BUILD SUCCESSFUL (total time: 1 second)
HTTP RESPONSE : EXAMPLE 2
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.URL;
public class HTTPREQRES {
public static void
main(String[] args) {
try {
URL
url = new URL("http://google.com/");
BufferedReader
br = new BufferedReader(new InputStreamReader(url.openStream()));
String
strTemp = "";
while
(null != (strTemp = br.readLine())) {
System.out.println(strTemp);
}
}
catch (Exception ex) {
catch (Exception ex) {
ex.printStackTrace();
}
}
}
SIMPLE HTTP SERVER
// http://localhost:8080/hello
import java.io.*;
import java.net.*;
import com.sun.net.httpserver.*;
public class HttpServerSimple {
public static void
main(String[] args) throws Exception {
HttpServer server =
HttpServer.create(new InetSocketAddress(8080), 0);
server.createContext("/hello", new MyHandler());
server.setExecutor(null);
server.start();
System.out.println("Server
is listening on port 8080" );
}
static class MyHandler
implements HttpHandler {
public void
handle(HttpExchange t) throws IOException {
String response =
"Hello from MyHTTPServer.....";
t.sendResponseHeaders(200,
response.length());
OutputStream os =
t.getResponseBody();
os.write(response.getBytes());
os.close();
}
}
}
OUTPUT //
http://localhost:8080/hello
Hello from MyHTTPServer.....
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.