HTTPS
HTTPS (HTTP over SSL) refers to the combination of HTTP
and SSL to imple- ment secure communication between a Web browser
and a Web server.
The HTTPS capability is built into all modern Web browsers.
Its use depends on the Web server
supporting HTTPS communication. For example,
search engines do not support HTTPS.
The principal difference seen by a user of a
Web browser is that URL (uni- form resource locator) addresses begin with
https:// rather than http://. A normal HTTP connection uses port 80. If HTTPS
is specified, port 443 is used, which invokes SSL.
When HTTPS is used, the following elements of the
communication are encrypted:
•
URL of the requested document
•
Contents of the document
•
Contents of browser forms
(filled in by browser user)
•
Cookies sent from browser
to server and from server
to browser
•
Contents of HTTP header
HTTPS is documented in RFC 2818,
HTTP Over TLS. There
is no fundamen- tal change in using HTTP over either SSL or TLS, and both implementations are referred
to as HTTPS.
Connection Initiation
For HTTPS, the agent acting as the HTTP client also acts as
the TLS client. The client initiates a connection to the server
on the appropriate port and then sends
the TLS ClientHello to begin the TLS handshake. When the TLS handshake
has fin- ished, the client may then initiate the first HTTP request. All HTTP
data is to be sent as TLS application data. Normal HTTP behavior, including
retained connec- tions, should be followed.
We need to be clear that there are three levels of awareness
of a connection in HTTPS.
At the HTTP level, an HTTP client requests a connection to an HTTP server by sending a connection request to the next lowest
layer. Typically, the next lowest layer is TCP, but it also may be TLS/SSL. At the level of TLS, a session is established between
a TLS client and a TLS server.
This session can support one or
more connections at any time. As we have seen, a TLS request to establish a
con- nection begins with the establishment of a TCP connection between
the TCP entity on
the client side and the TCP entity on the server side.
Connection Closure
An HTTP client or server can indicate
the closing of a connection by including the following line in an HTTP record:
Connection: close. This indicates that the
connection will be closed after this record is delivered.
The closure of an HTTPS connection requires that TLS close the
connection with the peer TLS entity on the remote side,
which will involve
closing the underly- ing TCP connection. At the TLS
level, the proper way to close a connection is for each side to use the TLS alert protocol
to send a close_notify alert. TLS imple- mentations must initiate an exchange of closure alerts before closing
a connection. A TLS implementation may, after
sending a closure
alert, close the connection with- out waiting for the peer to send
its closure alert, generating an “incomplete
close”. Note that an implementation that does this may choose to reuse the
session. This should only be done when the application knows (typically through
detecting HTTP message boundaries) that it has received all the message
data that it cares about.
HTTP clients also must be able to cope with a situation in which the underlying
TCP connection is terminated without
a prior close_notify alert and without a Connection:
close indicator. Such a situation could
be due to a programming error on the server or a communication error that causes the TCP connection to drop. However, the
unannounced TCP closure
could be evidence of some sort
of attack. So the
HTTPS client should
issue some sort of security
warning when this occurs.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.