HTTP over SSL / TLS or HTTPS
May 28, 2008 1 Comment
HTTP is an application Layer protocol from TCP/IP protocol layer’s perspective. Http is implemented on top of TCP, which means HTTP usages TCP as transport protocol. TLS/SSL is a security mechanism/protocol to secure the transport layer and basically TCP. The term “to secure” in the previous sentence does not mean that it will change the TCP protocol and make it secure instead it will add an extra layer of protocol on top TCP to provide security. Now the application protocol HTTP who were using TCP directly will use TLS APIs to call TCP API calls and make them secure from communication security perspective. The protocol stack can represented as in the figure below, which shows how the new TLS/SSL stack is introduced horizontally between the HTTP and TCP.
Now as communication security is concerned, how does HTTP achieves them is can be described with respect to the three basic goals of communication security i.e. (1) End point Authentication, (2) Confidentiality and (3) Data Integrity. TLS/SSL defines how these goals can be achieved.
Now most important and probably difficult part is the “End point Authentication”, because it deals with certificates and some very complicated concepts. In this step the client and server authenticated their identity. But most of the case, does not do a client authentication because it is not required from the application logic point of view and also makes the process more difficult.
Some nice readings on TLS/SSL and programming TLS with openSSL
- Wiki : TLS
- SSL and TLS: Designing and Building Secure Systems, this book also contains programming TLS /SSL with openSSL and TrueTLS in Java and C
- OpenSSL : The SSL/TLS library
- IBM article on OpenSSL