Wednesday, May 6, 2009

Difference Between http and https

Hypertext Transfer Protocol (http) is a system for transmitting and receiving information across the Internet. Http serves as a request and response procedure that all agents on the Internet follow so that information can be rapidly, easily, and accurately disseminated between servers, which hold information, and clients, who are trying to access it. Http is commonly used to access html pages, but other resources can be utilized as well through http. In many cases, clients may be exchanging confidential information with a server, which needs to be secured in order to prevent unauthorized access. For this reason, https, or secure http, was developed by Netscape corporation to allow authorization and secured transactions.

In many ways, https is identical to http, because it follows the same basic protocols. The http or https client, such as a Web browser, establishes a connection to a server on a standard port. When a server receives a request, it returns a status and a message, which may contain the requested information or indicate an error if part of the process malfunctioned. Both systems use the same Uniform Resource Identifier (URI) scheme, so that resources can be universally identified. Use of https in a URI scheme rather than http indicates that an encrypted connection is desired.

There are some primary differences between http and https, however, beginning with the default port, which is 80 for http and 443 for https. Https works by transmitting normal http interactions through an encrypted system, so that in theory, the information cannot be accessed by any party other than the client and end server. There are two common types of encryption layers: Transport Layer Security (TLS) and Secure Sockets Layer (SSL), both of which encode the data records being exchanged.

When using an https connection, the server responds to the initial connection by offering a list of encryption methods it supports. In response, the client selects a connection method, and the client and server exchange certificates to authenticate their identities. After this is done, both parties exchange the encrypted information after ensuring that both are using the same key, and the connection is closed. In order to host https connections, a server must have a public key certificate, which embeds key information with a verification of the key owner's identity. Most certificates are verified by a third party so that clients are assured that the key is secure.

Https is used in many situations, such as log-in pages for banking, forms, corporate log ons, and other applications in which data needs to be secure. However, if not implemented properly, https is not infallible, and therefore it is extremely important for end users to be wary about accepting questionable certificates and cautious with their personal information while using the Internet.

HTTP Secure

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol and a cryptographic protocol. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.

HTTP operates at the highest layer of the TCP/IP model, the Application layer; but the security protocol operates at a lower sublayer, encrypting an HTTP message prior to transmission and decrypting a message upon arrival.

Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser.Originally, HTTPS was only used with SSL encryption, but this has been made obsolete by Transport Layer Security. HTTPS was adopted as a web standard with the publication of RFC 2818 in May 2000.


Strictly speaking, HTTPS is not a separate protocol, but refers to the combination of a normal HTTP interaction over an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connection. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted.

As opposed to HTTP URLs that begin with "http://", HTTPS URLs begin with "https://". If no port is explicitly specified in the URL, an HTTPS connection is opened on port 443, as opposed to unsecured HTTP which typically uses port 80.

To prepare a Web server to accept HTTPS connections, the administrator must create a public-key certificate for the Web server. These certificates can be created for Unix-based servers with tools such as OpenSSL's ssl-ca or SuSE's gensslcert. This certificate must be signed by a certificate authority of one kind or another. The authority certifies that the certificate holder is indeed the entity it claims to be. Certificates that are registered in the root chains cost between US$13 and $1,500 per year. Web browsers are generally distributed with the signing certificates of major certificate authorities so that they can verify certificates signed by them.

Organizations may also run their own certificate authority, particularly if they are responsible for setting up browsers to access their own sites (for example, sites on a company intranet). They can easily add copies of their own signing certificate to those shipped with the browser.

Some sites, especially those operated by hobbyists, use self-signed certificates on public sites. Using such certificates provides protection against simple eavesdropping, but the prevention of man-in-the-middle attacks entails the use of some other secure method of verifying the certificate.

The system can also be used for client authentication in order to limit access to a web server to authorized users. To do this, the site administrator typically creates a certificate for each user, a certificate that is loaded into his/her browser. Normally, that contains the name and e-mail address of the authorized user and is automatically checked by the server on each reconnect to verify the user's identity, potentially without even entering a password.

Browser integration
With the newer Internet Explorer 7 browser, Microsoft has increased the warnings sent when certificates are not registered. Whereas previously only a "security advice" pop-up appeared (which differentiated between name, source, and run time of the certificate), now a warning is displayed across the entire window, which recommends not using the website. Therefore, a certificate that is not registered in the browser is not usable for mass applications.

Mozilla Firefox 3.0 introduced Secure Website Certificate Verification. When you visit a secure website, Firefox will check with the certificate provider to validate that website's certificate. Firefox sends only the certificate identification to the certificate provider, not the exact URL you are visiting. If the certificate is not valid, you will receive an error page that states the certificate was revoked and you will not be able to access that website. The technical name for this process is OCSP or On-line Certificate Status Protocol. You may completely turn off the secure website certificate verification feature in Firefox's preferences under the encryption tab.

The level of protection depends on the correctness of the implementation by the Web browser and the server software and the actual cryptographic algorithms supported.

Also, HTTPS is vulnerable when applied to publicly-available static content. The entire site can be indexed using a web crawler, and the URI of the encrypted resource can be inferred by knowing only the intercepted request/response size.This allows an attacker to have access to the plaintext (the publicly-available static content), and the encrypted text (the encrypted version of the static content).

Because SSL operates below HTTP and has no knowledge of higher-level protocols, SSL servers can only strictly present one certificate for a particular IP/port combination. This means that, in most cases, it is not feasible to use name-based virtual hosting with HTTPS. RFC-3546 TLS Extensions describes a solution called Server Name Indication (SNI), although many older browsers don't support this extension. Support for SNI is available since Firefox 2.0, Opera 8, Mozilla 1.8, and Internet Explorer 7 on Windows Vista.

Most web browsers use the address bar to tell the user that their connection is secure.

Most web browsers also stop the user from visiting sites that have invalid security certificates.