http protocol

Abstract:

In this paper a detail study of HTTP and HTTPS
protocol has been made. HTTP (Hypertext Transfer Protocol) is the main protocol
of World Wide Web. It allows communication between varieties of clients. With
the help of HTTP web-server are used to communicate with the nowadays available
browser like Google Chrome, Mozilla Firefox, and internet Explorer etc. HTTPS
(Hypertext Transfer Protocol Secure) is also used for the same purpose as HTTP
but with additional features. Various features of both the protocols are also
discussed.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Keywords: HTTP; HTTPS;

Introduction:

HTTP protocol is used by the web browser to transmit
and receive information on the internet. HTTP means Hypertext Transfer Protocol
and it is used for exchanging information between the web-server and client. Tim
Berners-Lee implemented the HTTP protocol in 1990-1 at CERN, the European
Center for High-Energy Physics in Geneva, Switzerland. HTTP stands at the very
core of the World Wide Web. This protocol is used for delivering virtually all
files like image files, text files and video files etc. With the help of HTTP
web-server communicate with the browser like Google Chrome, Mozilla Firefox,
and internet Explorer etc. HTTPS means Hypertext Transfer Protocol Secure and
it is used to establish secure connection across the internet. Communications
between the client side browser and web-server is encrypted by a secure
certificate known as an SSL. This encryption of the information helps from
preventing sniffing of the information by hackers.

What is HTTP?

HTTP
is application-level protocol for collaborative, distributed, hypermedia
information systems. It is the data communication protocol used to establish
communication between client and server. HTTP is the main protocol used
by World Wide Web for communication. HTTP defines how the messages are
formatted and transmitted across the internet. HTTP protocol is based on client
server model. A browser is like client because it is used to send request to
server. Server then sends the response back to the client. The default port for
the server to listen for the request is 80. HTTP protocol is a request/response
stateless protocol. Main function of HTTP is to transmit resources across the
internet. A resource can be a file, a CGI script, or a document written in any
available languages. The format of the request and response message is very
much similar. An HTTP request has mainly three parts: a) request line, b) HTTP
header, and c) an optional HTTP body. An example of HTTP request is given below
GET /xyz1.html HTTP/1.1 Means client is instructing the server to GET the
xyz1.html file by using HTTP/1.1 protocol. Next information needed by server is
HTTP header. HTTP header contains the information about the request and
information about the client such as browser type or connection information.
Final part of the HTTP request is HTTP body which is optional. It is used when
client want to transfer specific data to server [3][12]. For example, when you
enter a URL in
your browser, this actually sends an HTTP command to the Web server directing
it to fetch and transmit the requested Web page.

Features of HTTP: 

a) HTTP is connectionless protocol. It means client
or a browser makes an HTTP request and then it disconnects from the server and
waits for response from the server. The server after processing the request
sends response back to the client.

 b) HTTP is
media independent protocol means any type of data can be sent by HTTP.

 c) HTTP is
stateless protocol. It means the server and client are in touch with each other
only during current request.
Afterwards, both of them forget each other.

Architecture of HTTP:

The below diagram represents the basic architecture
of a web application and depicts where HTTP stands.

The HTTP protocol is based on a request/response
model. The communication generally takes place over a TCP/IP connection on the
Internet. The default port is 80, but other ports can be used. A requesting
program (a client) establishes a connection with a receiving program (a server)
and sends a request to the server in the form of a request method, URI, and
protocol version, followed by a message containing request modifiers, client
information, and possible body content. The server responds with a status line,
including its protocol version and a success or error code, followed by a
message containing server information, entity metainformation, and possible
body content.

HTTP Requests:

A client sends HTTP request to a server in the form of a request message which is of
the following format.

A Request-line
Zero or more header (General|Request|Entity) fields
followed by CRLF
An empty line (i.e., a line with nothing preceding
the CRLF)
indicating the end of the header fields
Optionally a message-body

Request Line:

The Request-Line begins
with a method token, followed by the Request-URI and the protocol version, and
ending with CRLF. The elements are separated by space SP characters. 

Request
Header Fields:

The request-header
fields allow the client to pass additional information about the request, and
about the client itself, to the server. These fields act as request modifiers.

HTTP methods:

The HTTP method indicates the method to be performed on the resource identified by
the Requested URI .This method names are case sensitive and should
be used in uppercase.

GET: It is the most common method used by HTTP. It
is used to retrieve the requested information. If the requested file is an HTML
file then its content will be displayed at the browser side. If the requested
file is a dynamic ASP file, then the server first process this file, executes
its commands and finally the output of those command is send to the requesting
Browser.

HEAD: This method is almost similar to GET method
but it does not return the requested data. It is used to transfer header
section, status line, server response code etc.

POST: This method is used to send data to server and
then act on it. POST methods are used when the CGI or server side scripting is
involved.

PUT: The
PUT method is used to request the server to store the included entity-body at a
location specified by the given URL. 

DELETE: The DELETE method
is used to request the server to delete a file at a location specified by the
given URL.

CONNECT: The CONNECT
method is used by the client to establish a network connection to a web server
over HTTP.

OPTION: The OPTIONS
method is used by the client to find out the HTTP methods and other options
supported by a web server. The client can specify a URL for the OPTIONS method,
or an asterisk (*) to refer to the entire server.

TRACE: The TRACE method
is used to echo the contents of an HTTP Request back to the requester which can
be used for debugging purpose at the time of development.

HTTP
Responses:

After receiving and
interpreting a request message, a server responds with an HTTP response message:

A Status-line
Zero or more header
(General|Response|Entity) fields followed by CRLF
An empty line (i.e., a line with
nothing preceding the CRLF)
indicating the end of the header
fields
Optionally a message-body

Response
Header:

The response-header
fields allow the server to pass additional information about the response which
cannot be placed in the Status- Line. These header fields give information
about the server and about further access to the resource identified by the
Request-URI.

HTTP Status
Codes:

The status code of HTTP is one type of integer code,
which is three-digit code, indicates the result code of request. From the first
digit of status code we can identify the class of response from. For example,
if a status code 200 found on client machine, then it means that this status
code is from the 2xx class which indicates the client request was successfully
received, understood and accepted.

Different classes of status code are listed below:

1xx (Informational):

This response indicates that the request has been
received and process is under progress.

100 Continue:

The status code 100(Continue) indicates that the
initial part of the request has not yet been rejected from the server and the
server will send the final response to the client after the request has been
fully received.

101 Switching Protocol:

The status code 101(Switching Protocol) indicates
that the client has request to the server to switch the protocols and the
server machine has accepted to do that.

2xx (Successful):

2xx class of status code results that the action is
received and it is also understood and accepted.

200 Ok:

The status code 200(Ok) indicates that the action
has succeeded and the payload has been sent in 200 response which is depends on
request method.

201 Created:

The status code 201(Created) indicates that the
request is fulfilled and fully accepted, and new resource will be created.

202 Accepted:

The status code 202(Accepted) indicates that the
action is completely accepted for processing from server side but the
processing is not yet completed.

203 Not Authoritative Information:

The status code 203(Not Authoritative Information)
indicates that the entity header information is third-party copy or from local
server, not from the original server.

204 No Content:

The status code
204(No Content) and a header are given in the response, but there is no indication
body in the response.

205 Reset Content:

The status code 205(Reset Content) indicates that the
used form for this transaction for additional input in the browser.

206 Partial Content:

The status code 206(Partial Content) indicates that
the server is returning the partial data of the size requested from client.

3xx Redirection:

In this class the remaining action must be taken for
completing the request.

300 Multiple Choices:

The status code 300(Multiple Choices) will display
the link list and from them the client can select a link and go to the expected
location or destination. Maximum five addresses could display.

301 Moved Permanently:

The status code 301(Moved Permanently) indicates
that the requested page has moved to the new URL in browser.

302 Found:

The status code 302(Found) indicates that the
requested page has moved temporarily to the new URL in browser.

303 See Other:

The status code 303(See Other) indicates that the requested
page will be displayed under the different URL in browser.

304 Not Modified:

The status code 304(Not Modified) indicates that the
URL has not modified since the last specific date.

305 Use Proxy:

The status code 305(Use Proxy) indicates that the requested
URL is accessed from a proxy server in the location header.

306 Unused:

This code is used in previous version. It is no
longer used but it is still reserved code.

307 Temporary Redirect:

The status code 307(Temporary Redirect) indicates
that the requested page has moved temporarily to the new URL in browser.

4xx Client Error:

This class will give all the client error where the
client request is not appropriate or cannot be fulfilled.

400 Bad Request:

The status code 400(Bas Request) indicate that the
server did not understand the requested action from client.

401 Unauthorised:

The status code 401(Unauthorised) indicates that the
requested page is credential protected and it needs a username and password.

402 Payment Required:

The status code 402(Payment Required) indicates that
the requested page needs the payment first and then it will be displayed.

403 Forbidden:

The status code 403(Forbidden) indicates that the
access of the page is forbidden.

404 Not Found:

The status code 404(Not Found) indicates that server
cannot found the requested page.

405 Method Not Allowed:

The status code 405(Method Not Allowed) indicates
that the method specified in the request is not allowed.

406 Not Acceptable:

The status code
406(Not Acceptable) indicates that the server can only generate a response that
is not accepted by the client.

407 Proxy Authentication Required:

The status code 407(Proxy Authentication Required)
indicates that you must authenticate with a proxy server before this request
can be served.

408 Request
Timeout:

The status code
408(Requested Timeout) indicate that the request took longer than the server
was prepared to wait.

409 Conflict:

The status code
409(Conflict) indicates that the request could not be completed because of a
conflict.

410 Gone:      

This status code
indicates the requested page is no longer available. 

411 Length
Required:                      

This status code
indicates that the “Content-Length” is not defined. The server will
not accept the request without it. 

412 Precondition
Failed:      

This status code
indicates that pre-condition given in the request evaluated to false by the
server.

413 Request
Entity Too Large:       

This status code
indicates that the server will not accept the request, because the request
entity is too large.

414 Request-URL
Too Long:

This status code
indicates that the server will not accept the request, because the URL is too
long. Occurs when you convert a “post” request to a “get”
request with a long query information. 

415 Unsupported
Media Type:                   

This status code
indicates that the server will not accept the request, because the media type
is not supported. 

416 Requested
Range Not Satisfiable:                   

This status code
indicates that the requested byte range is not available and is out of bounds.

417 Expectation
Failed:       

His status code
indicates that the expectation given in an Expect request header field could
not be met by this server.

5xx: Server Error

It means the
server failed to fulfil an apparently valid request.

500 Internal
Server Error:  

This status code
indicates that the request was not completed. The server met an unexpected
condition.

501 Not
Implemented:         

This status code
indicates that the request was not completed. The server did not support the
functionality required.

502 Bad Gateway:    

The status code
indicates that the request was not completed. The server received an invalid
response from the upstream server.

503 Service
Unavailable:     

The status code
indicates that the request was not completed. The server is temporarily
overloading or down.

504 Gateway
Timeout:        

This status code
indicates that the gateway has timed out.

505 HTTP Version
Not Supported:           

This status code
indicates that the server does not support the “http protocol”
version.

 

HTTP
Security:

Sometimes HTTP clients are insecure with their
personal information such as user name, location, passwords, etc. The data that is sent across is not
at all secure. This meant that the data was accessible by anyone on that
network, making it useless for sending confidential information. To solve this flaw,
Netscape Corporation developed the HTTP secure that allowed authorization and
secured transactions.

HTTPS (Hypertext Transfer Protocol Secure) is used
for achieving security of data across the internet. It is combination HTTP with
SSL/TLS protocol. HTTP is not a secure protocol. So when users communicate
across the network by using HTTP protocol, anyone  can eavesdrop communication between client and
the web server easily. So if users want to transfer sensitive information
across the internet, then this information needs to be secured and it should be
accessible to authorized users only. For these purposes HTTPS is used. Mainly
HTTPS protocol is used in the following websites: Shopping Websites, Banking
Websites, Payment Gateway, Login Pages, and Email Apps etc. Web
browsers such as Internet Explorer, Firefox and Chrome also display a padlock
icon in the address bar to visually indicate that a HTTPS connection is in
effect.

Working of HTTPS:

HTTPS protocol is used to provide secure connection
between client and web server. HTTPS insert a layer of encryption/decryption
between HTTP and TCP. It is a Secure Sockets Layer (SSL) or Transport Layer
Security (TLS).

Both TLS and SSL protocols use asymmetric Public Key
Infrastructure (PKI) system. An asymmetric system uses two ‘keys’ to encrypt
communications, a ‘public’ key and a ‘private’ key. Anything encrypted with the
public key can only be decrypted by the private key and vice-versa. The ‘private’ key should be kept strictly
protected and should only be accessible the owner of the private key.  In
the case of a website, the private key remains securely established on the web
server. Conversely, the public key is intended to be distributed to anybody and
everybody that needs to be able to decrypt information that was encrypted with
the private key.

Pictures given below show Google and SBI websites.
Both are using HTTPS protocol. Important point to note here is that in this
case URL starts with HTTPS:// and not with HTTP://

The SSL layer serves two main purposes

i) Verifying that client browser is communicating to
the authenticated server .

ii) Ensuring that only server is able to read
client’s data and only client is able to read data sent by server.

Difference between http and https:

a) HTTP protocol use port 80 for communication.
HTTPS uses port 443 for communication.

 b) In case of
HTTP URL starts with http:// whereas in case of HTTPS URL starts with the
https://

c) HTTP is unsecured whereas HTTPS is secured.

d) In case of HTTP no certificates are used but in
case of HTTPS certificates are used.

e) In case of HTTP information is passed as a plain
text across the network but in case of HTTPS data is encrypted

Conclusions

HTTP is useful when user is only intended to access
the information from a given website. But it is not safe for the user to
transfer his personal information using HTTP. HTTPS protocol is helpful for the
users when users want to send their personal information across the internet.
HTTPS is not unbreakable but it is still a robust way to send personal
information across the internet. The
key thing to remember is that though HTTPS keeps data safe on the wire to its
destination, it in no way protects  a user
or a developer  against XSS or database
leaks.