Making HTTP Safe

14.1 Making HTTP Safe

People use web transactions for serious things. Without strong security, people wouldn't feel comfortable doing online shopping and banking. Without being able to restrict access, companies couldn't place important documents on web servers. The Web requires a secure form of HTTP.

The previous chapters talked about some lightweight ways of providing authentication (basic and digest authentication) and message integrity (digest qop="auth-int"). These schemes are good for many purposes, but they may not be strong enough for large purchases, bank transactions, or access to confidential data. For these more serious transactions, we combine HTTP with digital encryption technology.

A secure version of HTTP needs to be efficient, portable, easy to administer, and adaptable to the changing world. It also has to meet societal and governmental requirements. We need a technology for HTTP security that provides:

                Server authentication ( clients know they're talking to the real server, not a phony )

                Client authentication (servers know they're talking to the real user , not a phony)

                Integrity (clients and servers are safe from their data being changed)

                Encryption (clients and servers talk privately without fear of eavesdropping)

                Efficiency (an algorithm fast enough for inexpensive clients and servers to use)

                Ubiquity (protocols are supported by virtually all clients and servers)

                Administrative scalability (instant secure communication for anyone , anywhere )

                Adaptability (supports the best known security methods of the day)

                Social viability (meets the cultural and political needs of the society)

14.1.1 HTTPS

HTTPS is the most popular secure form of HTTP. It was pioneered by Netscape Communications Corporation and is supported by all major browsers and servers.

You can tell if a web page was accessed through HTTPS instead of HTTP, because the URL will start with the scheme https:// instead of http:// (some browsers also display iconic security cues, as shown in Figure 14-1 ).

Figure 14-1. Browsing secure web sites

figs/http_1401.gif

When using HTTPS, all the HTTP request and response data is encrypted before being sent across the network. HTTPS works by providing a transport-level cryptographic security layerusing either the Secure Sockets Layer (SSL) or its successor, Transport Layer Security (TLS)underneath HTTP ( Figure 14-2 ). Because SSL and TLS are so similar, in this book we use the term "SSL" loosely to represent both SSL and TLS.

Figure 14-2. HTTPS is HTTP layered over a security layer, layered over TCP

figs/http_1402.gif

Because most of the hard encoding and decoding work happens in the SSL libraries, web clients and servers don't need to change much of their protocol processing logic to use secure HTTP. For the most part, they simply need to replace TCP input/output calls with SSL calls and add a few other calls to configure and manage the security information.

 



HTTP. The Definitive Guide
HTTP: The Definitive Guide
ISBN: 1565925092
EAN: 2147483647
Year: 2001
Pages: 294

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net