|Like this CertiGuide? Get it in PDF format!|
Use coupon code "certiguide" to save 20%!
|Also available: 300-question Security+ practice test!|
|Get It Here!|
Each page (or URL) you visit on the
web is accessed using a particular protocol which is specified prior
to the : in the URL. Two common protocols are HTTP and
HTTPS, with a third being S-HTTP.
HTTP, used for URLs
beginning with http:, is the HyperText Transport
Protocol used for unencrypted general communications between
web browsers and web servers. It takes care of packaging up page
requests, page contents, variables, cookies and the like, and transmitting
them between browser and server, or server and browser. HTTP communication
occurs by default over TCP port 80, so, you would need to have that
port open on your firewall in the direction of the web server (outbound
if you just want to let your users surf; inbound if you want Internet
users to surf your server).
HTTPS, used for URLs
beginning with https: is HTTP with SSL encryption
and authentication extensions. It performs the same function as HTTP,
but does so in a more secure manner and is, thus, better suited for
transmission of data requiring confidentiality. As mentioned earlier,
it uses port 443 instead of 80.
As noted above, S-HTTP is an alternative
to SSL for secure communications between a web browser and web server.
It provides similar functionality, but uses different techniques to
do so. Because of Netscapes dominance on the Web, SSL took off
as the primary secure HTTP protocol, and URLs referencing S-HTTP,
which starts with shttp: are rarely seen today.
HTTP is a protocol used for unencrypted communication between web browsers and web servers. It uses TCP port 80.
HTTPS is a protocol used for SSL-encrypted and authenticated communication between web browsers and web servers. It uses TCP port 443.
S-HTTP is a lesser-used protocol for encrypted communication between web browsers and web servers. It does not use SSL, and is rarely used today.
HTTP and HTTPS used to be purely web browsing protocols, but a funny thing happened on the way to the future. Network administrators the world over, started blocking firewall ports used for any services they did not feel were absolutely essential in the name of security (a good practice).
Then users were sad, because peer-to-peer chat services, instant messaging, CD database lookup programs, and other fun but non-essential utilities that used ports blocked by firewalls stopped working. Then developers deployed fancy applications using technology like Microsofts DCOM, and found out that because of the way most network administrators had configured their firewalls, DCOM traffic didnt get through.
But developers everywhere, who were boxed in by network administrators security efforts, eventually realized that almost every site allows port 80 and port 443 traffic through and that hiding (or tunneling) their application-specific protocols inside HTTP, was a way to get them through the firewalls port-level blocking. Much like using a VPN tunneled inside a normal TCP/IP connection hides whats really going on in the virtual network from the tools that manage the physical network, tunneling an application inside another application protocol like HTTP hides the workings of that inner application protocol from utilities and devices which seek to observe or filter it.
And thus, began the next chapter in the saga of hackers finding a creative way to accomplish something and security folks scrambling to prevent them from doing it. Today, many firewalls feature content filtering of HTTP traffic so that certain URLs or URL patterns can be blocked, to prevent these other applications from piggybacking into (or out of) the site via HTTP or HTTPS.
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.