HTTP and HTTPS

Lecture Notes for CS 142
Fall 2010
John Ousterhout

  • Readings for this topic: none.

HTTP: HyperText Transfer Protocol

  • Used by browsers to communicate with Web servers.
  • Simple request-response protocol, sent using TCP/IP sockets.
  • Sample request:
    GET /index.html HTTP/1.1
    Host: www.example.com
    User-Agent: Mozilla/5.0
    Accept: text/xml,application/xml,application/xhtml+xml,text/html*/*
    Accept-Language: en-us
    Accept-Charset: ISO-8859-1,utf-8
    Connection: keep-alive
    <blank line>
    
    • First line contains method, URL, version number
      • GET method: read information from server. Should have no side effects.
      • POST method: uploads data from the browser to the server (typically form data), returns information from the server. Likely to have side effects. Data is in the body of the message, after the blank line.
      • There are several other methods defined besides these two, but we won't use them in CS142.
    • Headers: name-value pairs providing various information that may be useful to the server.
    • A request can also contain data following the headers, but the GET method doesn't have any data (POST does, though).
  • Sample response:
    HTTP/1.1 200 OK
    Date: Thu, 24 Jul 2008 17:36:27 GMT
    Server: Apache-Coyote/1.1
    Content-Type: text/html;charset=UTF-8
    Content-Length: 1846
    
    <html>
    ...
    </html>
    
    • First line contains protocol version number, numerical status code, textual explanation.
    • Headers have same general format as for requests
    • Blank line separates headers from response data.
    • Response body doesn't necessarily have to be HTML.
  • Redirection: cause browser to fetch a new URL in place of the page initially requested.
    • Set Location header to some other URL.
    • Return a status of 307.
    • Useful if information has moved, and for POST requests.

HTTPS

  • Identical to HTTP, except request and response messages are transmitted using SSL (Secure Sockets Layer) or its successor TLS (Transport Layer Security).
  • HTTPS is used automatically for any URL beginning with "https:" instead of "http:".
  • What HTTPS does for you:
    • The request and response messages are transmitted between the browser and server in encrypted form.
    • This prevents snoopers on the network from accessing private information in the messages, such as passwords or credit card numbers.
    • A certificate exchange allows the browser to identify the server it is communicating with. HTTPS doesn't help the server to identify the browser.
  • HTTPS does not guarantee that the browser and server can trust each other. You just know that no-one else is listening.
  • HTTPS requires additional server setup: must create a certificate that identifies the server to the browser.
  • In designing Web applications you must use HTTPS whenever private data is being transmitted, such as passwords or credit card numbers.