S-HTTP
   HOME

TheInfoList



Click Here for Items Related To - S-HTTP
OR:
S-HTTP on:   [Wikipedia]   [Google]   [Amazon]

Secure Hypertext Transfer Protocol (S-HTTP) is an obsolete alternative to the
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protoc ...
protocol for
encrypting In cryptography, encryption (more specifically, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plain ...
web Web most often refers to: * Spider web, a silken structure created by the animal * World Wide Web or the Web, an Internet-based hypertext system Web, WEB, or the Web may also refer to: Computing * WEB, a literate programming system created by ...
communications carried over the Internet. It was developed by Eric Rescorla and Allan M. Schiffman at EIT in 1994 and published in 1999 as
Netscape Netscape Communications Corporation (originally Mosaic Communications Corporation) was an American independent computer services company with headquarters in Mountain View, California, and then Dulles, Virginia. Its Netscape web browser was o ...
's dominance of the browser market led to HTTPS becoming the de facto method for securing web communications.


Comparison to HTTP over TLS (HTTPS)

S-HTTP encrypts only the served page data and submitted data like POST fields, leaving the initiation of the protocol unchanged. Because of this, S-HTTP could be used concurrently with HTTP (unsecured) on the same port, as the unencrypted header would determine whether the rest of the transmission is encrypted. In contrast, HTTP over TLS wraps the entire communication within
Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over ...
(TLS; formerly SSL), so the encryption starts before any protocol data is sent. This creates a name-based virtual hosting "chicken and egg" issue with determining which
DNS The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various informatio ...
name was intended for the request. This means that HTTPS implementations without
Server Name Indication Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allow ...
(SNI) support require a separate
IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...
per DNS name, and all HTTPS implementations require a separate port (usually 443 vs. HTTP's standard 80) for unambiguous use of encryption (treated in most browsers as a separate
URI scheme A Uniform Resource Identifier (URI), formerly Universal Resource Identifier, is a unique sequence of characters that identifies an abstract or physical resource, such as resources on a webpage, mail address, phone number, books, real-world obje ...
, ''https://''). As documented in RFC 2817, HTTP can also be secured by implementing HTTP/1.1 Upgrade headers and upgrading to TLS. Running HTTP over TLS negotiated in this way does not have the implications of HTTPS with regards to name-based virtual hosting (no extra IP addresses, ports, or URI space). However, few implementations support this method. In S-HTTP, the desired URL is not transmitted in the cleartext headers, but left blank; another set of headers is present inside the encrypted payload. In HTTP over TLS, all headers are inside the encrypted payload and the server application does not generally have the opportunity to gracefully recover from TLS fatal errors (including 'client certificate is untrusted' and 'client certificate is expired').


References

{{Reflist


External links


RFC 2660 The Secure HyperText Transfer Protocol
Hypertext Transfer Protocol Cryptographic protocols