HTTP is an application-level protocol for distributed, collaborative hypermedia systems that has been used by the World Wide Web since 1990. The initial HTTP/0.9 version provided a simple protocol for raw data transfer, while HTTP/1.0 introduced MIME-like messages to include meta information and request/response modifiers. HTTP/1.0 did not sufficiently account for hierarchical proxies, caching, persistent connections or virtual hosts. HTTP sits at the top of the TCP/IP stack and uses ports to carry protocols between services, with HTTP typically using port 80. An HTTP message is delivered over a TCP/IP connection by chopping the message into chunks small enough to fit in TCP segments, which are then sent inside IP datagrams
1. HTTPINTRODUCTION
• The Hypertext Transfer Protocol (HTTP) is an application-level
protocol for distributed, collaborative, hypermedia information
systems. HTTP has been in use by the World-Wide Web global
information initiative since 1990.
• The first version of HTTP, referred to as HTTP/0.9, was a simple
protocol for raw data transfer across the Internet.
• HTTP/1.0, improved the protocol by allowing messages to be in the
format of MIME-like messages, containing meta information about
the data transferred and modifiers on the request/response semantics.
• HTTP/1.0 does not sufficiently take into consideration the effects of
hierarchical proxies, caching, the need for persistent connections, and
virtual hosts.
2. A BRIEF DIGRESSION ON TCP/IP
HTTP sits at top of the TCP/IP Protocol Stack
Network Interfaces
HTTP
TCP
IP
Application Layer
Transport Layer
Network Layer
Data Link Layer
The ports let TCP carry
multiple protocols that connect
services running on default
ports:
• HTTP on port 80
3. How an HTTP Message is delivered over TCP/IP connection:
GET /index.html HTTP/1.1<CRLF>
Host: www.hostname.com Con…
HTTP Message’s data stream is chopped up
into chunks small enough to fit in a TCP
segment
The segments are shipped to the right destination inside IP datagrams
The chunks ride inside TCP segments used
to reassemble them correctly on the other
end of the connection
4. OVERALL OPERATION OF HTTP
The HTTP protocol is a request/response
protocol.
A client sends a request to the server in
the form of a request method, URI,
and protocol version, followed by a
MIME-like message containing request
modifiers, client information, and possible
body content over a connection with a
server.
The server responds with a status line,
including the message's protocol version
and a success or error code, followed by a
MIME-like message containing server
information, entity meta information, and
possible entity-body content.
5. • URLs used early on by all Internet protocols, including various document retrieval protocols.
• More specifications (both from 1994):
– URL : Uniform Resource Locators
– URI : Universal Resource Identifiers
– URL is just one type of a URI.
• Hypertext came to predominate as the most efficient way of providing access to resources
– Fast, flexible, generic, extensible
– Facilitated searching, collaboration, annotation
• HTTP now the central mechanism for requesting and serving URL based resources.
HTTP AND URLS
6. • URL (Uniform Resource Locators )
– Provides single short string to identify network-accessible resource
– <scheme>://<host>[:<port>]/<path>[?<query>]
– http://www.w3.org/Icons/w3c_home.gif
• URI (Uniform Resource Identifier)
– Identifies a resource either by location or name.
– The selection of the representation can be determined by the web server through
HTTP content negotiation.
– A superset of URLs
– http://www.w3.org/Icons/w3c_home.
– http request line contains a non-URL URI
URLS AND URIS
7. HTTP REQUIRES A TCP CONNECTION
Before systems can exchange HTTP messages,
they must establish a TCP connection.
Steps 1,2, 3 in this eg. Show the connection
establishment.
Once the TCP connection is available, the client
sends the server an HTTP request. The final 2
steps, show the closing of TCP connection
8. PERSISTENCE CONNECTION
Prior to persistent connections, a separate TCP
connection was established to fetch each URL,
increasing the load on HTTP servers and
causing congestion on the Internet.
Persistent HTTP connections have a number of
advantages:
• By opening and closing fewer TCP connections,
CPU time is saved, and memory used for TCP
protocol control blocks is also saved.
• HTTP requests and responses can be pipelined
on a connection. Pipelining allows a client to
make multiple requests without waiting for each
response, allowing a single
9. PIPELINING
Pipelining lets an HTTP client
issue new request without
waiting for responses from its
previous messages.
In this figure, the client sends
its first request in step 4.
It immediately follows that
with a second request in step
5.
The client does not wait for
the server’s response, which
arrives in step 6.
10. HTTP SERVERS TURN URLS INTO RESOURCES
THROUGH A REQUEST-RESPONSE CYCLE
HTTP Request
HTTP Client
Asks for resource by its URL:
http://www.Site.com/test.html
HTTP Server
www.Site.com
HTTP Response
Resource
/test
11. HTTP messages consist of requests from client to server and responses
from server to client.
HTTP-message = Request | Response ; HTTP/1.1 messages
The Resource Identified by a Request
REQUEST
An origin server that does differentiate resources based on the host
requested MUST use the following rules for determining the requested
resource on an HTTP/1.1 request:
HTTP MESSAGE
12. RESPONSE
After receiving and interpreting a request message, a
server responds with an HTTP response message.
Response = Status-Line
*( general-header |
response-header |
entity-header )
CRLF [ message-body ]
14. NEGOTIATION
Content Negotiation
Server-driven Negotiation
Agent-driven Negotiation
Transparent Negotiation
Caching in http
Therefore, the HTTP/1.1 protocol provides these important elements:
1. Protocol features that provide full semantic transparency when this is required by all parties.
2. Protocol features that allow an origin server or user agent to explicitly request and control non-transparent operation.
3. Protocol features that allow a cache to attach warnings to responses that do not preserve the requested approximation of semantic
transparency.
Security Considerations
Authentication of Clients
Abuse of Server Log Information
Privacy Issues Connected to Accept Headers
DNS Spoofing
15. • (HTTPS) Hypertext Transfer Protocol over
Secure Socket Layer (SSL).
• First implementation of HTTP over
SSL was issued in 1995 by Netscape.
HTTPS
16. CRYPTOGRAPHY
Important information Data, Data, Data.
Encryption
Encryption Algorithm =
cipher
Hh2sh!~hH==E#@ns8676%===sdf
Plain Text
Cipher Text
Some random String
19. SSL HANDSHAKE PROCESS
Client requests HTTPS session
Certificate sent back (with public key)
Client creates session key (53)
Session key
encrypted with public key(X$qp0)
At this point only client knows
session key
Session encrypted with symmetric session
key (53)
session key decrypted
with private key
At this point both client
and server knows
session key
Encrypted session key sent to server
20. • There were away to get around the encryption instead of trying to break it
• Ali wants to send secure messages to Ahmed.
• Man intercepts Ali’s messages.
• Man talks to Ali and pretends to be Ahmed.
• Man talks to Ahmed and pretends to be Ali.
MAN-IN-THE-MIDDLE (MITM) ATTACK
CONCEPT
Ali AhmedMan
Ea Ec
Ec Eb
E{a,b,c} = Ali’s, Ahmed’s, and Man’s public keys, respectively
21. • Ali uses the public key she thinks she received from Ahmed (Man’s)
• Ahmed uses the key he thinks is Ali’s (also Man’s)
• As a result, Man not only gains access to secure information but also can modify it (e.g. transfer
money to a different account etc.)
MITM ATTACK CONCEPT