Thursday, May 28, 2009

Whats the difference between HTTP and HTTPS?

http is hyper text transfer protocol which is responsible for transmitting and receiving information across the Internet where as https is secure http, which is used exchanging confidential information with a server, which needs to be secured in order to prevent unauthorized access.

HTTP is Hyper Text Transport Protocol and is transmitted over the wire via PORT 80(TCP). You normally use HTTP when you are browsing the web, it's not secure, and so someone can eavesdrop on the conversation between your computer and the web server. HTTP can support the client asking for a particular file to be sent only if it has been updated after a certain date and time. This would be used if the client has already retrieved a copy of a file by that name from that server, but wants to check to see if it has been updated since then. The server responds either with the updated file, with a message to say the file has not been changed, or with a message that the file no longer exists.

HTTPS (Hypertext Transfer Protocol over Secure Socket Layer or HTTP over SSL) is a Web protocol developed by Netscape and built into its browser that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS is really just the use of Netscape's Secure Socket Layer (SSL) as a sub layer under its regular HTTP application layering. (HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.) SSL uses a 40-bit key size for the RC4 stream encryption algorithm, new-age browsers use 128-bit key size which is more secure than the former, it is considered an adequate degree of encryption for commercial exchange. HTTPS is normally used in login pages, shopping/commercial sites.

How it Work
Https is not a separate protocol, but refers to the combination of a normal HTTP interaction over an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) transport mechanism. This ensures reasonable protection from eavesdroppers and (provided it is implemented properly and the top level certification authorities do their job properly) man-in-the-middle attacks.

The default TCP port of an https: URL is 443 (for unsecured HTTP, the default is 80). To prepare a web-server for accepting https connections the administrator must create a public key certificate for the web-server. These certificates can be created for Linux based servers with tools such as Open SSL's ssl or SuSE's gensslcert. This certificate must be signed by a certificate authority of one form or another, who certifies that the certificate holder is who they say they are. Web browsers are generally distributed with the signing certificates of major certificate authorities, so that they can verify certificates signed by them.

No comments:

Post a Comment