Home‎ > ‎3 pm class page‎ > ‎



Difference between HTTP and HTTPS

Here are links to wikipedia: HTTP/ HTTPS

 HTTP is also known as "Hypertext Transfer Protocol." HTTP is a networking, or communication protocol (arrangement of digital message formats used in order to transfer information between computers and telecommunications[wiki,2011]) used in order to format and develop web pages. HTTP specifies how the web pages should be formatted and how to respond to certain commands or requests from the user.
  •  HTTP is the basis of communication for the World Wide Web.
  • Most websites use HTTP.
  • HTTP was developed by the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C).(wiki,2011)
    • The Internet Engineering Task Force is an open international association that is formed by a group of people that have great interest in the internet.
    • "The mission of the IETF is to make the Internet work better by producing high quality, relevant technical documents that influence the way people design, use, and manage the Internet".
    • The World Wide Web Consortium is an international association that ensure long term development the World Wide Web. 
    • "W3C's vision for the Web involves participation, sharing knowledge, and thereby building trust on a global scale"
  • HTTP is a application layer protocol designed within the framework of the Internet Protocol Suite (wiki,2011)
    • Internet Protocol Suite has 4 network layers: Application, Transport, Internet and Physical. HTTP falls under the Application Layer
  •  Application Layer
     Transport Layer
    TCP, UPD
     Internet Layer
     Link Layer
    ARP, DSL, ISDN, OSPF, Ethernet
  • HTTP runs on Transmission Control Protocol (TCP), meaning that your computer has to use the port80 to send and receive data to use HTTP. (wiki,2011)
  • Having the knowledge of HTTP can be a huge advantage because "everyone knows HTTP."
  • HTTP functions as a request-response/request-reply protocol in the client-server computing model
    • The web browser is the client (referred to as "user agent" or UA), and the application that is on the computer managing the website is the server. (wiki, 2011)
  • HTTP is a "stateless protocol"  meaning that the server is not required to keep information about the client's actions during the client's requests, simply put, there are no memories that get saved during the connection.
  • HTTP V0.9 in 1991 is the first version of HTTP. (wiki, 2011)
  • In 1996, Dave Raggett and his team from HTTP Working Group (HTTP WG) released the new and improved version of HTTP V1.0 and then V1.1 shortly after. This version is different from the 0.9 for several reasons. The newer version has a cache-control header, an options method, and the range of requests is expanded. 
    • Dave Ragget is a computer scientist from England. He worked for Hewlett-Packard, and started working on the idea of creating a more complex web browser called Arena during his free time.
  • By March 1996, several versions of Internet Explorer, Arena, Netscape, Mosaic, and Lynx, were all supported HTTP V1.1.(wiki,2011)
  • At this time, 40% of internet browsers were HTTP V1.1 compliant. And by June of the same year, it jumped up to 65% (wiki,2011)
Securing HTTP:
Three Methods for securing HTTP
     1.HTTP Secure (HTTPS)
    2. Secure Hypertext Transfer Protocol
    3. HTTP/1.1 Upgrade Header
How HTTP Works
    1. An HTTP client (web browser) begins a request by securing a certain connection called Transmission Control Protocol (TCP) to a specific port on a server.
    2. Meanwhile, the HTTP server waits until the client message request is sent to them.
    3. After the HTTP server receives the request, the server then sends back a status line(that includes numeric status code) and information.
-Http Status lines are translated into status codes, which are a set of codes (3digits) that have a specific meaning to them
    -ex: 200 means "OK", 202 means "accepted", 400 means "bad request",

 HTTPS is also known as "Hypertext Transfer Protocol Secure." HTTPS is the highest protected mode of communication or transmission over the internet. The "s" in HTTPS stands for "Secure", meaning that it is more "secure" than the regular HTTP.  HTTPS encodes their data through a protocol known as SSL "Secure Socket Layer" also known as TLS "Transport Layer Security" which uses a mix of public and private key and symmetric encryption. HTTPS allows secure electronic commerce (buying and selling online) activities to be accessible to people over the World Wide Web. Simply put, HTTPS is there so that private information can be safely transferred safely in an unreliable network.
  • HTTPS is the mixture between HTTP and SSL/TLS.
  • HTTPS is used for websites that deal with private information such as: online banking, and websites where you enter credit card information.
  • When you are on a HTTPS website, most web browsers show a padlock image in order to show the computer user that the website they are on is safe and secure.
  • HTTPS is a URL scheme. (wiki,2011)
  • All parts of the HTTPS message are encrypted
  • HTTP uses a port called port443.(wiki,2011)
  • There are 7 layers in the OSI model. HTTPS operates at the highest level of OSI Model.  however, the security protocol runs on a lower, sublayer to encrypt HTTP message. (wiki, 2011)
    • OSI model (Open System Interconnection Model) is a model that differentiates network protocols and applications.
      • There are 7 layers in the OSI model:
        • Physical: deals with bit stream, light, radio, media signal.
        • Data Link: deals with data packets. 2 layers
          • MAC: (media access control): deals with how gains access to the data and their transmission of that data.
          • LLC: (logical link control): deals with flow control and error checking.
        • Network: deals with error handling, routing, congestion control, etc.
        • Transport: establishes a successful data transfer
        • Session:controls and facilitates connections between applications or computers
        • Presentation:also known as "syntax layer." Takes data and encrypts is for the Application layer.
        •  Application: this layer allows file transfers, email, etc.

How they are trusted:
  • HTTPS works with major certificate authorities that are pre-installed in the browser or software.
  • In order to be able to trust the HTTPS website, all of the following must comply:
    • The user must trust that their browser retrieved the HTTPS website correctly, after going through and checking all the certificates.
    • The user must trust that these certificates are valid- meaning that the certificates are authentic and signed by a accredited authority.
    • The certificate must match the website.
    • The user must trust that the TLS/SSL is protected.
  • HTTPS was at first used with an SSL protocol.(wiki, 2011)
  • However, when the SSL protocol became TLS (Transport Level Security), the new present version of HTTPS was introduced in May 2000. (wiki, 2011)

HTTPS & SSL tutorial

  How HTTPS & SSL Works

  1.  Your computer/laptop retrieves a public key from the web server that you are linked to.
  2. Your computer then produces a key for symmetric encryption and puts that key into a specific code utilizing the web-site's public key. After that is done, your computer sends the new symmetric key to the website.
  3. Then, the website receives the key and translates, or decodes the key using their own private key. What this means is that only your computer and that website understand that key and has now established a secure connection.
  4. At the end of your session with the website, your computer and the website both gets rid of the keys so that outsiders cannot retrieve the keys in any way.

    *Take a look at this YouTube video to the right that visualizes this transaction that happens between the server 
      and your computer in a way that is easy to understand. 

SSL Options:
There are two options for SSL: simple and mutual.
  • Mutual SSL, compared to simple SSL, has higher security.
  • Mutual SSL makes computer user to put in a special personal certificate in their browser so that they can verify things themselves
No matter what option is used, simple or mutual, the security level relies on the accuracy of the implementation of the web browser, the server software, and the algorithms supported.

Certificates for SSL
  • The prices for these certificate can range from free to $1,500 per year.
  • Companies can also make their own certificate authority.
  • There are many types of certificates
    • WildCard SSL: protects all servers on a given domain
    • Single Certificate: protects one server with one name
    • Multiple Domains: protects up to 100 domains.
    • Unified Communications Certificate: protects up to 25 server names
    • Extended Validation Certificate (EV): highest protection (where you get the green bar)
  • see more here...