| Like what you see? Get it in one document for easy printing! |
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31) |
|
| Test yourself better with 300 extra Security+ questions! |
| Get It Here! |
|
|
2.3.2 HTTP/S
Each page (or URL) you visit on the
web is accessed using a particular protocol which is specified prior
to the “:” in the URL. Two common protocols are HTTP and
HTTPS, with a third being S-HTTP.
HTTP
HTTP, used for URL’s
beginning with “http:”, is the HyperText Transport
Protocol used for unencrypted general communications between
web browsers and web servers. It takes care of packaging up page
requests, page contents, variables, cookies and the like, and transmitting
them between browser and server, or server and browser. HTTP communication
occurs by default over TCP port 80, so, you would need to have that
port open on your firewall in the direction of the web server (outbound
if you just want to let your users surf; inbound if you want Internet
users to surf your server).
HTTPS
HTTPS, used for URL’s
beginning with “https:” is HTTP with SSL encryption
and authentication extensions. It performs the same function as HTTP,
but does so in a more secure manner and is, thus, better suited for
transmission of data requiring confidentiality. As mentioned earlier,
it uses port 443 instead of 80.
S-HTTP
As noted above, S-HTTP is an alternative
to SSL for secure communications between a web browser and web server.
It provides similar functionality, but uses different techniques to
do so. Because of Netscape’s dominance on the Web, SSL took off
as the primary secure HTTP protocol, and URL’s referencing S-HTTP,
which starts with “shttp:” are rarely seen today.
 HTTP
HTTP is a protocol used for unencrypted communication between web browsers and web servers. It uses TCP port 80.
HTTPS is a protocol used for SSL-encrypted and authenticated communication between web browsers and web servers. It uses TCP port 443.
S-HTTP is a lesser-used protocol for encrypted communication between web browsers and web servers. It does not use SSL, and is rarely used today.
|
![[spacer]](1p.gif)  HTTP/HTTPS
HTTP and HTTPS used to be purely web browsing protocols, but a funny thing happened on the way to the future. Network administrators the world over, started blocking firewall ports used for any services they did not feel were absolutely essential in the name of security (a good practice).
Then users were sad, because peer-to-peer chat services, instant messaging, CD database lookup programs, and other fun but non-essential utilities that used ports blocked by firewalls stopped working. Then developers deployed fancy applications using technology like Microsoft’s DCOM, and found out that because of the way most network administrators had configured their firewalls, DCOM traffic didn’t get through.
But developers everywhere, who were boxed in by network administrators’ security efforts, eventually realized that almost every site allows port 80 and port 443 traffic through – and that hiding (or tunneling) their application-specific protocols inside HTTP, was a way to get them through the firewall’s port-level blocking. Much like using a VPN tunneled inside a normal TCP/IP connection hides what’s really going on in the virtual network from the tools that manage the physical network, tunneling an application inside another application protocol like HTTP hides the workings of that inner application protocol from utilities and devices which seek to observe or filter it.
And thus, began the next chapter in the saga of hackers finding a creative way to accomplish something and security folks scrambling to prevent them from doing it. Today, many firewalls feature content filtering of HTTP traffic so that certain URL’s or URL patterns can be blocked, to prevent these other applications from piggybacking into (or out of) the site via HTTP or HTTPS.
|
| If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support! |
|
|
Home -
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.
|
