Abstract:In this paper a detail study of HTTP and HTTPSprotocol has been made. HTTP (Hypertext Transfer Protocol) is the main protocolof World Wide Web. It allows communication between varieties of clients. Withthe help of HTTP web-server are used to communicate with the nowadays availablebrowser like Google Chrome, Mozilla Firefox, and internet Explorer etc. HTTPS(Hypertext Transfer Protocol Secure) is also used for the same purpose as HTTPbut with additional features. Various features of both the protocols are alsodiscussed.
Keywords: HTTP; HTTPS;Introduction:HTTP protocol is used by the web browser to transmitand receive information on the internet. HTTP means Hypertext Transfer Protocoland it is used for exchanging information between the web-server and client. TimBerners-Lee implemented the HTTP protocol in 1990-1 at CERN, the EuropeanCenter for High-Energy Physics in Geneva, Switzerland. HTTP stands at the verycore of the World Wide Web. This protocol is used for delivering virtually allfiles like image files, text files and video files etc. With the help of HTTPweb-server communicate with the browser like Google Chrome, Mozilla Firefox,and internet Explorer etc. HTTPS means Hypertext Transfer Protocol Secure andit is used to establish secure connection across the internet. Communicationsbetween the client side browser and web-server is encrypted by a securecertificate known as an SSL.
This encryption of the information helps frompreventing sniffing of the information by hackers.What is HTTP?HTTPis application-level protocol for collaborative, distributed, hypermediainformation systems. It is the data communication protocol used to establishcommunication between client and server. HTTP is the main protocol usedby World Wide Web for communication. HTTP defines how the messages areformatted and transmitted across the internet.
HTTP protocol is based on clientserver model. A browser is like client because it is used to send request toserver. Server then sends the response back to the client. The default port forthe server to listen for the request is 80.
HTTP protocol is a request/responsestateless protocol. Main function of HTTP is to transmit resources across theinternet. A resource can be a file, a CGI script, or a document written in anyavailable languages.
The format of the request and response message is verymuch similar. An HTTP request has mainly three parts: a) request line, b) HTTPheader, and c) an optional HTTP body. An example of HTTP request is given belowGET /xyz1.html HTTP/1.1 Means client is instructing the server to GET thexyz1.
html file by using HTTP/1.1 protocol. Next information needed by server isHTTP header. HTTP header contains the information about the request andinformation about the client such as browser type or connection information.Final part of the HTTP request is HTTP body which is optional. It is used whenclient want to transfer specific data to server . For example, when youenter a URL inyour browser, this actually sends an HTTP command to the Web server directingit to fetch and transmit the requested Web page.Features of HTTP: a) HTTP is connectionless protocol.
It means clientor a browser makes an HTTP request and then it disconnects from the server andwaits for response from the server. The server after processing the requestsends response back to the client. b) HTTP ismedia independent protocol means any type of data can be sent by HTTP. c) HTTP isstateless protocol. It means the server and client are in touch with each otheronly during current request.
Afterwards, both of them forget each other. Architecture of HTTP:The below diagram represents the basic architectureof a web application and depicts where HTTP stands.The HTTP protocol is based on a request/responsemodel. The communication generally takes place over a TCP/IP connection on theInternet. The default port is 80, but other ports can be used. A requestingprogram (a client) establishes a connection with a receiving program (a server)and sends a request to the server in the form of a request method, URI, andprotocol version, followed by a message containing request modifiers, clientinformation, and possible body content. The server responds with a status line,including its protocol version and a success or error code, followed by amessage containing server information, entity metainformation, and possiblebody content.HTTP Requests:A client sends HTTP request to a server in the form of a request message which is ofthe following format.
A Request-line Zero or more header (General|Request|Entity) fields followed by CRLF An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields Optionally a message-bodyRequest Line:The Request-Line beginswith a method token, followed by the Request-URI and the protocol version, andending with CRLF. The elements are separated by space SP characters. RequestHeader Fields:The request-headerfields allow the client to pass additional information about the request, andabout the client itself, to the server. These fields act as request modifiers.HTTP methods:The HTTP method indicates the method to be performed on the resource identified bythe Requested URI .
This method names are case sensitive and shouldbe used in uppercase. GET: It is the most common method used by HTTP. Itis used to retrieve the requested information. If the requested file is an HTMLfile then its content will be displayed at the browser side. If the requestedfile is a dynamic ASP file, then the server first process this file, executesits commands and finally the output of those command is send to the requestingBrowser. HEAD: This method is almost similar to GET methodbut it does not return the requested data. It is used to transfer headersection, status line, server response code etc. POST: This method is used to send data to server andthen act on it.
POST methods are used when the CGI or server side scripting isinvolved.PUT: ThePUT method is used to request the server to store the included entity-body at alocation specified by the given URL. DELETE: The DELETE methodis used to request the server to delete a file at a location specified by thegiven URL.CONNECT: The CONNECTmethod is used by the client to establish a network connection to a web serverover HTTP.OPTION: The OPTIONSmethod is used by the client to find out the HTTP methods and other optionssupported by a web server.
The client can specify a URL for the OPTIONS method,or an asterisk (*) to refer to the entire server.TRACE: The TRACE methodis used to echo the contents of an HTTP Request back to the requester which canbe used for debugging purpose at the time of development.HTTPResponses:After receiving andinterpreting a request message, a server responds with an HTTP response message: A Status-line Zero or more header (General|Response|Entity) fields followed by CRLF An empty line (i.e.
, a line with nothing preceding the CRLF) indicating the end of the header fields Optionally a message-bodyResponseHeader:The response-headerfields allow the server to pass additional information about the response whichcannot be placed in the Status- Line. These header fields give informationabout the server and about further access to the resource identified by theRequest-URI.HTTP StatusCodes:The status code of HTTP is one type of integer code,which is three-digit code, indicates the result code of request. From the firstdigit of status code we can identify the class of response from. For example,if a status code 200 found on client machine, then it means that this statuscode is from the 2xx class which indicates the client request was successfullyreceived, understood and accepted.Different classes of status code are listed below:1xx (Informational):This response indicates that the request has beenreceived and process is under progress.
100 Continue:The status code 100(Continue) indicates that theinitial part of the request has not yet been rejected from the server and theserver will send the final response to the client after the request has beenfully received. 101 Switching Protocol:The status code 101(Switching Protocol) indicatesthat the client has request to the server to switch the protocols and theserver machine has accepted to do that.2xx (Successful):2xx class of status code results that the action isreceived and it is also understood and accepted.200 Ok:The status code 200(Ok) indicates that the actionhas succeeded and the payload has been sent in 200 response which is depends onrequest method.
201 Created:The status code 201(Created) indicates that therequest is fulfilled and fully accepted, and new resource will be created.202 Accepted: The status code 202(Accepted) indicates that theaction is completely accepted for processing from server side but theprocessing is not yet completed.203 Not Authoritative Information:The status code 203(Not Authoritative Information)indicates that the entity header information is third-party copy or from localserver, not from the original server.204 No Content:The status code204(No Content) and a header are given in the response, but there is no indicationbody in the response.
205 Reset Content:The status code 205(Reset Content) indicates that theused form for this transaction for additional input in the browser.206 Partial Content:The status code 206(Partial Content) indicates thatthe server is returning the partial data of the size requested from client.3xx Redirection:In this class the remaining action must be taken forcompleting the request. 300 Multiple Choices: The status code 300(Multiple Choices) will displaythe link list and from them the client can select a link and go to the expectedlocation or destination. Maximum five addresses could display.301 Moved Permanently: The status code 301(Moved Permanently) indicatesthat the requested page has moved to the new URL in browser.
302 Found: The status code 302(Found) indicates that therequested page has moved temporarily to the new URL in browser.303 See Other:The status code 303(See Other) indicates that the requestedpage will be displayed under the different URL in browser.304 Not Modified:The status code 304(Not Modified) indicates that theURL has not modified since the last specific date.305 Use Proxy:The status code 305(Use Proxy) indicates that the requestedURL is accessed from a proxy server in the location header.
306 Unused:This code is used in previous version. It is nolonger used but it is still reserved code.307 Temporary Redirect:The status code 307(Temporary Redirect) indicatesthat the requested page has moved temporarily to the new URL in browser.4xx Client Error:This class will give all the client error where theclient request is not appropriate or cannot be fulfilled.400 Bad Request:The status code 400(Bas Request) indicate that theserver did not understand the requested action from client.401 Unauthorised:The status code 401(Unauthorised) indicates that therequested page is credential protected and it needs a username and password.402 Payment Required:The status code 402(Payment Required) indicates thatthe requested page needs the payment first and then it will be displayed.403 Forbidden:The status code 403(Forbidden) indicates that theaccess of the page is forbidden.
404 Not Found:The status code 404(Not Found) indicates that servercannot found the requested page.405 Method Not Allowed:The status code 405(Method Not Allowed) indicatesthat the method specified in the request is not allowed. 406 Not Acceptable:The status code406(Not Acceptable) indicates that the server can only generate a response thatis not accepted by the client. 407 Proxy Authentication Required:The status code 407(Proxy Authentication Required)indicates that you must authenticate with a proxy server before this requestcan be served.408 RequestTimeout:The status code408(Requested Timeout) indicate that the request took longer than the serverwas prepared to wait. 409 Conflict:The status code409(Conflict) indicates that the request could not be completed because of aconflict.
410 Gone: This status codeindicates the requested page is no longer available. 411 LengthRequired: This status codeindicates that the “Content-Length” is not defined. The server willnot accept the request without it. 412 PreconditionFailed: This status codeindicates that pre-condition given in the request evaluated to false by theserver. 413 RequestEntity Too Large: This status codeindicates that the server will not accept the request, because the requestentity is too large. 414 Request-URLToo Long:This status codeindicates that the server will not accept the request, because the URL is toolong.
Occurs when you convert a “post” request to a “get”request with a long query information. 415 UnsupportedMedia Type: This status codeindicates that the server will not accept the request, because the media typeis not supported. 416 RequestedRange Not Satisfiable: This status codeindicates that the requested byte range is not available and is out of bounds. 417 ExpectationFailed: His status codeindicates that the expectation given in an Expect request header field couldnot be met by this server.5xx: Server Error It means theserver failed to fulfil an apparently valid request.500 InternalServer Error: This status codeindicates that the request was not completed. The server met an unexpectedcondition.
501 NotImplemented: This status codeindicates that the request was not completed. The server did not support thefunctionality required. 502 Bad Gateway: The status codeindicates that the request was not completed. The server received an invalidresponse from the upstream server.
503 ServiceUnavailable: The status codeindicates that the request was not completed. The server is temporarilyoverloading or down. 504 GatewayTimeout: This status codeindicates that the gateway has timed out. 505 HTTP VersionNot Supported: This status codeindicates that the server does not support the “http protocol”version.
HTTPSecurity:Sometimes HTTP clients are insecure with theirpersonal information such as user name, location, passwords, etc. The data that is sent across is notat all secure. This meant that the data was accessible by anyone on thatnetwork, making it useless for sending confidential information. To solve this flaw,Netscape Corporation developed the HTTP secure that allowed authorization andsecured transactions.HTTPS (Hypertext Transfer Protocol Secure) is usedfor achieving security of data across the internet.
It is combination HTTP withSSL/TLS protocol. HTTP is not a secure protocol. So when users communicateacross the network by using HTTP protocol, anyone can eavesdrop communication between client andthe web server easily. So if users want to transfer sensitive informationacross the internet, then this information needs to be secured and it should beaccessible to authorized users only.
For these purposes HTTPS is used. MainlyHTTPS protocol is used in the following websites: Shopping Websites, BankingWebsites, Payment Gateway, Login Pages, and Email Apps etc. Webbrowsers such as Internet Explorer, Firefox and Chrome also display a padlockicon in the address bar to visually indicate that a HTTPS connection is ineffect.
Working of HTTPS:HTTPS protocol is used to provide secure connectionbetween client and web server. HTTPS insert a layer of encryption/decryptionbetween HTTP and TCP. It is a Secure Sockets Layer (SSL) or Transport LayerSecurity (TLS).Both TLS and SSL protocols use asymmetric Public KeyInfrastructure (PKI) system.
An asymmetric system uses two ‘keys’ to encryptcommunications, a ‘public’ key and a ‘private’ key. Anything encrypted with thepublic key can only be decrypted by the private key and vice-versa. The ‘private’ key should be kept strictlyprotected and should only be accessible the owner of the private key.
Inthe case of a website, the private key remains securely established on the webserver. Conversely, the public key is intended to be distributed to anybody andeverybody that needs to be able to decrypt information that was encrypted withthe private key.Pictures given below show Google and SBI websites.Both are using HTTPS protocol. Important point to note here is that in thiscase URL starts with HTTPS:// and not with HTTP://The SSL layer serves two main purposes i) Verifying that client browser is communicating tothe authenticated server . ii) Ensuring that only server is able to readclient’s data and only client is able to read data sent by server.Difference between http and https:a) HTTP protocol use port 80 for communication.
HTTPS uses port 443 for communication. b) In case ofHTTP URL starts with http:// whereas in case of HTTPS URL starts with thehttps:// c) HTTP is unsecured whereas HTTPS is secured. d) In case of HTTP no certificates are used but incase of HTTPS certificates are used. e) In case of HTTP information is passed as a plaintext across the network but in case of HTTPS data is encryptedConclusionsHTTP is useful when user is only intended to accessthe information from a given website. But it is not safe for the user totransfer his personal information using HTTP.
HTTPS protocol is helpful for theusers when users want to send their personal information across the internet.HTTPS is not unbreakable but it is still a robust way to send personalinformation across the internet. Thekey thing to remember is that though HTTPS keeps data safe on the wire to itsdestination, it in no way protects a useror a developer against XSS or databaseleaks.