http vs https - prior blog
HTTP is an application layer protocol in the Internet Protocol Suite to transfer application data between client and server..
It relies on the transport layer protocol primarily TCP but can use UDP as well to manage host - host communication.
HTTP Client establishes a session with the server on a particular port which is usually 80.
HTTP supports authentication schemes like Basic Authentication (cleartext username / password) and Digest Access Authentication (challenge response mechanisms) where server identifies and issues a challenge to the client before issuing the requested content.
HTTP 1.1 additions:
- Keep Alive parameter so that connection can be reused for more than one request. This lead to persistent connection, reduce latency as TCP 3-way handshake is not needed.
- Chunked Transfer Encoding was introduced which allowed persistent connection to be streamed rather than buffered.
- HTTP Pipelining: Allows client to send multiple requests before waiting for a response which reduces lag time.
- Byte Serving: In this case server transmits portion of the resource explicitly requested by the client.
********************************************************************************
HTTPS secures HTTP connection by signaling browser to use an added encryption layer of SSL / TLS to protect the traffic. It uses the TCP port 443 by default.
Main reasons for using HTTPS is to provide authentication of visited websites and to provide the privacy and integrity of exchanged data.
Implementation of HTTPS involves getting the certificate from a trusted Certificate authority, browser validating the certificate.
It comes in 2 options: simple and mutual.
Simple : Requires only server authentication.
Mutual: Requires both client and server authentication where client has to install the personal certificate in the browser.
*********************************************************************************
Design Consideration for using HTTPS
- Some browsers may not support SSL.
- Performance Impact incase large files are downloaded where encryption can be a burden.
- It breaks name based virtual hosting as only one certificate is supported for ip/port combination.
It relies on the transport layer protocol primarily TCP but can use UDP as well to manage host - host communication.
HTTP Client establishes a session with the server on a particular port which is usually 80.
HTTP supports authentication schemes like Basic Authentication (cleartext username / password) and Digest Access Authentication (challenge response mechanisms) where server identifies and issues a challenge to the client before issuing the requested content.
HTTP 1.1 additions:
- Keep Alive parameter so that connection can be reused for more than one request. This lead to persistent connection, reduce latency as TCP 3-way handshake is not needed.
- Chunked Transfer Encoding was introduced which allowed persistent connection to be streamed rather than buffered.
- HTTP Pipelining: Allows client to send multiple requests before waiting for a response which reduces lag time.
- Byte Serving: In this case server transmits portion of the resource explicitly requested by the client.
********************************************************************************
HTTPS secures HTTP connection by signaling browser to use an added encryption layer of SSL / TLS to protect the traffic. It uses the TCP port 443 by default.
Main reasons for using HTTPS is to provide authentication of visited websites and to provide the privacy and integrity of exchanged data.
Implementation of HTTPS involves getting the certificate from a trusted Certificate authority, browser validating the certificate.
It comes in 2 options: simple and mutual.
Simple : Requires only server authentication.
Mutual: Requires both client and server authentication where client has to install the personal certificate in the browser.
*********************************************************************************
Design Consideration for using HTTPS
- Some browsers may not support SSL.
- Performance Impact incase large files are downloaded where encryption can be a burden.
- It breaks name based virtual hosting as only one certificate is supported for ip/port combination.
Comments
Post a Comment