Web Protocols

HTTP and HTTPS

Randy J. Fortier
randy.fortier@uoit.ca
@randy_fortier

Outline

  • Network application architectures
  • Hypertext Transfer Protocol (HTTP)
    • Requests
    • Responses
    • URLs
  • Secure HTTP (HTTPS)
    • Transport Layer Security (TLS)
    • Negotiating cipher
    • Authentication
    • Key exchange

HTTP and HTTPS

Network Application Architectures

Two-Tiered Architectures

  • Server
    • Listens for connections
    • Responds to client requests
  • Client
    • Initiates the connection with the server
    • Issues a request to that server
    • Processes the server's response
Two Tiered Architecture

Three-Tiered Architectures

  • An additional layer is used for data storage
    • SQL-based storage
    • NoSQL (HTTP-based) storage
  • The server accesses this data over the network
Three Tiered Architecture

HTTP and HTTPS

Hypertext Transfer Protocol (HTTP)

Hypertext Transfer Protocol

  • Common commands:
    • GET
    • POST
    • PUT
    • DELETE
    • HEAD

Hypertext Transfer Protocol

  • Common commands:
    • GET - download data
    • POST - upload and/or download data
    • PUT - upload a new file
    • DELETE - delete a file
    • HEAD - download meta-data (headers) for a file

Hypertext Transfer Protocol

  • Example command

GET /folder/file.html HTTP/1.0
                        

HTTP Requests

  • A request is issued by the client (a web browser)
  • The command is the most important part of the request
  • Request headers contain meta data about the request and browser
    • Browser (name and version) sending the request
    • Time/date when the request was issued
    • Formats that the browser can handle
    • Site being visited
    • HEAD - download meta-data (headers) for a file

HTTP Requests

  • Example request:

GET / HTTP/1.1
Host: www.google.ca
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0
Accept: text/html
Accept-Language: en-US,en
Accept-Charset: ISO-8859-1,utf-8
Content-length: 0
                        

HTTP Requests

  • To capture a request:
    • Start a listener:
    • 
      $ nc -l 8080
                                          
    • Direct your browser to:
    • 
      http://localhost:8080/
                                          

HTTP Responses

  • A response is issued by the web server in response to a request
  • The requested file is often the most important part of the response
  • Response headers contain meta data about the response and web server
    • Server (name and version) sending the response
    • Time/date when the response was issued
    • Amount of data being transmitted
    • Data type of the data included
    • Cookies being transmitted

HTTP Responses

  • Example response:

HTTP/1.1 302 Found
Location: https://www.google.ca/
Content-Type: text/html; charset=UTF-8
Date: Sat, 18 Aug 2012 18:42:48 GMT
Content-Length: 219
<HTML><HEAD><meta http-equiv="content-type" 
content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved <A HREF="https://www.google.ca/">here</A>.
</BODY></HTML>
                        

HTTP Responses

  • 200 - successful GET/POST
  • 302 - redirect
  • 401 - unauthorized (must login)
  • 403 - forbidden (invalid permissions)
  • 404 - file not found
  • 500 - server-side error

HTTP Responses

  • To capture a response:
    • Connect via telnet:

$ telnet stackoverflow.com 80
GET / HTTP/1.0
Host: stackoverflow.com

                        

URLs

  • https://twitter.com:80/i/notifications
    • https: Protocol
    • twitter.com: Hostname
    • 80: Port number
    • /i/notifications: Uniform resource indicator (path and filename)

HTTP and HTTPS

Secure HTTP (HTTPS)

Secure HTTP

  • The secure HTTP protocol is implemented by:
    • TLS
    • SSL

Transport Layer Security (TLS)

  • Basic outline of the TLS handshake:
    1. Exchange information about cipher capability
    2. Exchange certificates (or public keys)
    3. Generate and share secret key
    4. Confirm secret key

TLS Handshake

TLS handshake step 1

TLS Handshake

TLS handshake step 2

TLS Handshake

TLS handshake step 3

TLS Handshake

TLS handshake step 4

TLS Handshake

TLS handshake step 5

TLS Handshake

TLS handshake step 6

TLS Handshake

TLS handshake step 7

TLS Handshake

TLS handshake step 8

TLS Handshake

TLS handshake step 9

TLS Handshake

TLS handshake step 10

TLS Handshake

TLS handshake step 11

TLS Handshake

TLS handshake step 12

Keys

  • Secret keys
    • Both sender and receiver use the same key
    • Used by encryption algorithm to encrypt
    • Used by decryption algorithm to decrypt
    • Must be kept confidential, once shared
  • Public and private keys
    • Public: Shared with everyone
    • Private: Kept confidential
    • Same algorithm, different keys to encrypt/decrypt

Certificates

  • Certificate authorities (CA)
    • Trusted third party responsible for generating certificates
    • Their public key is widely known (installed in browsers)
  • A certificate is basically an encrypted public key
    • Self-signed: A public key encrypted with its matching private key
    • CA-authorized: A public key encrypted with the private key of a certificate authority
  • TLS and SSL use X.509 format certificates

Wrap-Up

  • In this section, we learned about:
    • Hypertext Transfer Protocol (HTTP)
    • Secure HTTP via Transport Layer Security (TLS)
    • Encryption keys, certificates, and certificate authorities