Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.3  The Web

Previous Topic/Section
Transport Layer Security (TLS)
Previous Page
Pages in Current Topic/Section
1
Next Page
2.3.3  Instant Messaging
Next Topic/Section

2.3.2  HTTP/S

Each page (or URL) you visit on the web is accessed using a particular protocol which is specified prior to the “:” in the URL. Two common protocols are HTTP and HTTPS, with a third being S-HTTP.

HTTP

HTTP, used for URL’s beginning with “http:”, is the HyperText Transport Protocol used for unencrypted general communications between web browsers and web servers. It takes care of packaging up page requests, page contents, variables, cookies and the like, and transmitting them between browser and server, or server and browser. HTTP communication occurs by default over TCP port 80, so, you would need to have that port open on your firewall in the direction of the web server (outbound if you just want to let your users surf; inbound if you want Internet users to surf your server).

HTTPS

HTTPS, used for URL’s beginning with “https:” is HTTP with SSL encryption and authentication extensions. It performs the same function as HTTP, but does so in a more secure manner and is, thus, better suited for transmission of data requiring confidentiality. As mentioned earlier, it uses port 443 instead of 80.

S-HTTP

As noted above, S-HTTP is an alternative to SSL for secure communications between a web browser and web server. It provides similar functionality, but uses different techniques to do so. Because of Netscape’s dominance on the Web, SSL took off as the primary secure HTTP protocol, and URL’s referencing S-HTTP, which starts with “shttp:” are rarely seen today.

HTTP

HTTP is a protocol used for unencrypted communication between web browsers and web servers. It uses TCP port 80.

HTTPS is a protocol used for SSL-encrypted and authenticated communication between web browsers and web servers. It uses TCP port 443.

S-HTTP is a lesser-used protocol for encrypted communication between web browsers and web servers. It does not use SSL, and is rarely used today.


[spacer]HTTP/HTTPS

HTTP and HTTPS used to be purely web browsing protocols, but a funny thing happened on the way to the future. Network administrators the world over, started blocking firewall ports used for any services they did not feel were absolutely essential in the name of security (a good practice).

Then users were sad, because peer-to-peer chat services, instant messaging, CD database lookup programs, and other fun but non-essential utilities that used ports blocked by firewalls stopped working. Then developers deployed fancy applications using technology like Microsoft’s DCOM, and found out that because of the way most network administrators had configured their firewalls, DCOM traffic didn’t get through.

But developers everywhere, who were boxed in by network administrators’ security efforts, eventually realized that almost every site allows port 80 and port 443 traffic through – and that hiding (or tunneling) their application-specific protocols inside HTTP, was a way to get them through the firewall’s port-level blocking. Much like using a VPN tunneled inside a normal TCP/IP connection hides what’s really going on in the virtual network from the tools that manage the physical network, tunneling an application inside another application protocol like HTTP hides the workings of that inner application protocol from utilities and devices which seek to observe or filter it.

And thus, began the next chapter in the saga of hackers finding a creative way to accomplish something and security folks scrambling to prevent them from doing it. Today, many firewalls feature content filtering of HTTP traffic so that certain URL’s or URL patterns can be blocked, to prevent these other applications from piggybacking into (or out of) the site via HTTP or HTTPS.



Previous Topic/Section
Transport Layer Security (TLS)
Previous Page
Pages in Current Topic/Section
1
Next Page
2.3.3  Instant Messaging
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.