Sunday, November 19, 2017

HTTP AND HTTPS PROTOCOL



HTTP (Hypertext Transfer Protocol)

  • HTTP is often called the protocol of the Internet.
  • HTTP received this designation because most Internet traffic is based on HTTP.
  • Application Layer, Layer 7
  • TCP IP Based Protocol
  • Stateless Protocol. - Server does not have to retain info or status about each user for the duration of multiple requests (HTTP Cookies, Server Side Sessions, Variables, URL Rewriting)
  • Get or Post Methods
  • HTTP: GET, HEADERS, BODY
  • Not encrypted.
  • When a user requests a Web resource, it is requested using HTTP.

·         The following is a Web request: http://www.example.com

o   When a client enters this address into a Web browser, DNS is called to resolve the Fully Qualified Domain Name (FQDN) to an IP address.

o   When the address is resolved, an HTTP get request is sent to the Web server.

o   The Web server responds with an HTTP send response. Such communication is done several times throughout a single session to a Web site. HTTP uses TCP for communication between clients and servers. HTTP operates on port 80.



HTTPS (Hypertext Transfer Protocol Secure)

  • HTTP is for Web sites using additional security features such as certificates.
  • HTTPS is used when Web transactions are required to be secure.
  • "HTTPS" is supposed to mean "HyperText Transfer Protocol Secure",
  • "HTTPS" is better thought of as "HTTP with an S that means SSL". Other protocol acronyms have been built the same way, e.g. SMTPS, IMAPS, FTPS... all of them being a bare protocol that "got secured" by running it within some SSL/TLS.
  • HTTPS is HTTP-within-SSL/TLS.
  • HTTPS - HTTP OVER TLS
  • HTTPS - HTTP OVER SSL
  • HTTPS - HTTP SECURE
  • HTTPS = HTTP + SSL
  • HTTPS = ENCRYPTION + IDENTIFICATION

·         Example: Used in online banking

·         Appearance: lock symbol will appear

·         Benefit: Encryption and Authentication

·         Result: Trusted End to End communicaiton


  • Socket oriented protocol .i.e. encrypts a channel
  • Any application can be protected .
  • SSL (TLS) establishes a secured, bidirectional tunnel for arbitrary binary data between two hosts. HTTP is a protocol for sending requests and receiving answers, each request and answer consisting of detailed headers and (possibly) some content. HTTP is meant to run over a bidirectional tunnel for arbitrary binary data; when that tunnel is an SSL/TLS connection, then the whole is called "HTTPS".
  • "SSL" means "Secure Sockets Layer". This was coined by the inventors of the first versions of the protocol, Netscape.
  • SSL stands for Secure Sockets Layer and, in short, it's the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details.
  • It does this by making sure that any data transferred between users and sites, or between two systems remain impossible to read. It uses encryption algorithms
  • "TLS" means "Transport Layer Security". The name was changed to avoid any legal issues with Netscape so that the protocol could be "open and free"
  • when you are buying SSL from Symantec you are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption.
  • HTTPS uses a certificatebased technology such as VeriSign.
  • Certificate-based transactions offer a mutual authentication between the client and the server.
  • Mutual authentication ensures the server of the client identity, and ensures the client of the server identity.
  • HTTPS, in addition to using certificate-based authentication, encrypts all data packets sent during a session.
  • Because of the encryption, confidential user information cannot be compromised.
  • To use HTTPS, a Web site must purchase a certificate from a third-party vendor such as VeriSign, CertCo, United States Postal Service, or other certificate providers.
  • When the certificate is issued to a Web site from a third-party vendor, the Web site is using trusted communication with the client.
  • The communication is trusted because the third party is not biased toward either the Web site or the client.
  • To view a certificate during a HTTPS session, simply double-click the lock icon in the lower-right area of the Web browser. HTTPS operates on port 443 and uses TCP for communication.


Symmetric and Asymmetric Encryption

·         1. client requests a SSL conneciton - SSL Hello msg (Client Hello)

·         2. Server response with the SSL Certificate(Public key, SSL done) (Server Hello)

·         3. Client validates the certificate / public key

·         4. Client generates a symmetric key and transmitts it to server

·         5. SSL Session is established


  • SSL Certificate - Intermediate CA - Root CA
  • Firefox - Tools - Security - Certificates.
  • TLS - Transport Layer Security  / Secure Socket Layer
  • Uses public and private keys (PKI) for flexible encryption scheme
  • uses asymmetric cryptography for key exchange and thereafter symmetric cryptography for channel encryption
  • checks : confidentiality , message integrity and authentication of keys
  • SSL Transaction
  • Note: it provides the secure connection during transmission not checks the origin and destination
·   Secured connection offers several benefits:

  • Safeguarding sensitive data being transferred between browser and server.
  • Preventing criminals or any intruder from reading the information transferred.
  • Avoiding misuse of vital information like credit card numbers, financial information, addresses and names.
  • Safeguarding the information transferred from unwanted modification.
  • TLS stands for Transport Layer Security, which is an updated and more secure version of SSL. Just like SSL, TLS provides authentication and data encryption between machines, servers and applications



Information about the owner contained in a certificate, includes:

  • Issued to
  • Issued from
  • Start date
  • Expire date
  • Domain name
  • Certificate authority name.


DEMONSTRATION: WIRESHARK - DATA - > FRAMES -> PACKETS

BROWSER.




1. USER ISSUES URL FROM A BROWSER

2. BROWSER SENDS A REQUEST MESSAGE

3. SERVER MAPS THE URL TO FILE

4. SERVER RETURNS A RESPONSE MESSAGE

5. BROWSER FORMATS THE RESPONSE AND DISPLAYS


HTTP REQUEST AND RESPONSE



REQUEST MESSAGE EXAMPLE:  http://www.dbu.edu.et /doc/index.html into the following request message:

GET /docs/index.html HTTP/1.1

Host: www.dbu.edu.et

Accept: image/gif, image/jpeg, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

(blank line)

When this request message reaches the server, the server can take either one of these actions:

  1. The server interprets the request received, maps the request into a file under the server's document directory, and returns the file requested to the client.
  2. The server interprets the request received, maps the request into a program kept in the server, executes the program, and returns the output of the program to the client.
  3. The request cannot be satisfied, the server returns an error message.

An example of the HTTP response message is as shown:

HTTP/1.1 200 OK

Date: Sun, 18 Oct 2009 08:56:53 GMT

Server: Apache/2.2.14 (Win32)

Last-Modified: Sat, 20 Nov 2004 07:16:26 GMT

ETag: "10000000565a5-2c-3e94b66c2e680"

Accept-Ranges: bytes

Content-Length: 44

Connection: close

Content-Type: text/html

X-Pad: avoid browser bug

 

<html><body><h1>It works!</h1></body></html>

The browser receives the response message, interprets the message and displays the contents of the message on the browser's window according to the media type of the response (as in the Content-Type response header). Common media type include "text/plain", "text/html", "image/gif", "image/jpeg", "audio/mpeg", "video/mpeg", "application/msword", and "application/pdf".

 The following shows a sample HTTP request message:


HTTP Response Message

HTTP Request Methods

HTTP protocol defines a set of request methods. A client can use one of these request methods to send a request message to an HTTP server. The methods are:

  • GET: A client can use the GET request to get a web resource from the server.
  • HEAD: A client can use the HEAD request to get the header that a GET request would have obtained. Since the header contains the last-modified date of the data, this can be used to check against the local cache copy.
  • POST: Used to post data up to the web server.
  • PUT: Ask the server to store the data.
  • DELETE: Ask the server to delete the data.
  • TRACE: Ask the server to return a diagnostic trace of the actions it takes.
  • OPTIONS: Ask the server to return the list of request methods it supports.
  • CONNECT: Used to tell a proxy to make a connection to another host and simply reply the content, without attempting to parse or cache it. This is often used to make SSL connection through the proxy.
  • Other extension methods.

HTTP OVER TCP IP.



Uniform Resource Locator (URL)

A URL (Uniform Resource Locator) is used to uniquely identify a resource over the web. 

URL has the following syntax:

protocol://hostname:port/path-and-file-name


There are 4 parts in a URL:

  1. Protocol: The application-level protocol used by the client and server, e.g., HTTP, FTP, and telnet.
  2. Hostname: The DNS domain name (e.g., www.dbu.edu.et) or IP address (e.g., 192.128.1.2) of the server.
  3. Port: The TCP port number that the server is listening for incoming requests from the clients.
  4. Path-and-file-name: The name and location of the requested resource, under the server document base directory.

For example, in the URL http:// www.dbu.edu.et /docs/index.html,
  • the communication protocol is HTTP;
  • the hostname is www.dbu.edu.et.
  • The port number was not specified in the URL, and takes on the default number, which is TCP port 80 for HTTP. The path and file name for the resource to be located is "/docs/index.html".
  • Other examples of URL are:
  • ftp:// www.dbu.edu.et /docs/test.txt
  • mailto:user@ www.dbu.edu.et
  • news:soc.culture.Singapore
  • telnet:// www.dbu.edu.et /
HTML RESPONSE CODES

  • Success 2xx , OK 200 , CREATED 201 , Accepted 202 , Partial Information 203 , No Response 204 , Error 4xx, 5xx

  • Bad request 400 , Unauthorized 401 , PaymentRequired 402 , Forbidden 403 , Not found 404 , Internal Error 500

  • Redirection 3xx, Moved 301 , Found 302 , Method 303 , Not Modified 304

    Not implemented 501 , Service temporarily overloaded 502 (TO BE DISCUSSED) , Gateway timeout 503 (TO BE DISCUSSED) 



HTTPS RESPONSE.


import java.io.*;

import java.net.*;



class HTTPRES

{



    public static void main (String args[]) throws Exception

    {

        // to retrieve the contents of this webpage

        URL url = new URL("http://google.com");

        HttpURLConnection connection = (HttpURLConnection)url.openConnection();

       

        // a connection is made

        connection.setRequestMethod("GET");

        connection.connect();



        // to get response code

        int code = connection.getResponseCode();

       

        //print the response code

        System.out.println("Response code of the object is "+code);

       

        //response code 200 = ok

        if (code==200)

        {

           

            System.out.println("OK");

        }

    }

}

OUTPUT

Response code of the object is 200

OK

BUILD SUCCESSFUL (total time: 1 second)



HTTP RESPONSE : EXAMPLE 2

import java.io.BufferedReader;

import java.io.InputStreamReader;

import java.net.URL;



public class HTTPREQRES {



public static void main(String[] args) {

try {

URL url = new URL("http://google.com/");

BufferedReader br = new BufferedReader(new InputStreamReader(url.openStream()));

String strTemp = "";

while (null != (strTemp = br.readLine())) {

System.out.println(strTemp);

}

}
 catch (Exception ex) {

ex.printStackTrace();

 }

 }

}


SIMPLE HTTP SERVER

// http://localhost:8080/hello

import java.io.*;

import java.net.*;

import com.sun.net.httpserver.*;



public class HttpServerSimple {



   public static void main(String[] args) throws Exception {

      HttpServer server = HttpServer.create(new InetSocketAddress(8080), 0);

      server.createContext("/hello", new MyHandler());

      server.setExecutor(null);

      server.start();

      System.out.println("Server is listening on port 8080" );

   }



   static class MyHandler implements HttpHandler {

      public void handle(HttpExchange t) throws IOException {

         String response = "Hello from MyHTTPServer.....";

         t.sendResponseHeaders(200, response.length());

         OutputStream os = t.getResponseBody();

         os.write(response.getBytes());

         os.close();

      }

   }

}

OUTPUT // http://localhost:8080/hello

Hello from MyHTTPServer.....


at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)