HTTP2 Flashcards
What is HTTPS?
HTTPS is a secure version of HTTP, inserting an additional layer between HTTP and TCP called TLS or SSL (Transport Layer Security or Secure Sockets Layer, respectively)
In what port does HTTPS work?
443
How is a connection established?
resolve IP address from host name via DNS; establish a connection with the server; send a request; wait for a response; close connection
Connection: close
tells the server to close the connection after sending the response
Server-side Connection Handling
establishing a socket to start listening on port 80 (or some other port); receiving the request and parsing the message; processing the response; setting response headers; sending the response to the client; close the connection if a Connection: close request header was found
Different ways a server can collect information for identification and authentication
Request headers: From, Referer, User-Agent; Client-IP; Fat Urls - storing state of the current user by modifying the URL and redirecting to a different URL on each click; each click essentially accumulates state; Cookies
Cookies - server side
Cookies allow the server to attach arbitrary information for outgoing responses via the Set-Cookie response header. A cookie is set with one or more name=value pairs separated by semicolon (;), as in Set-Cookie: session-id=12345ABC; username=nettuts
Cookies - browser side
Cookies are automatically sent by the browser for each request made to a server, and the browser ensures that only the domain- and path-specific cookies are sent in the request. The request header Cookie: name=value [; name2=value2] is used to send these cookies to the server.
Basic Authentication
In Basic Authentication, the server initially denies the client’s request with a WWW-Authenticate response header and a 401 Unauthorized status code. On seeing this header, the browser displays a login dialog, prompting for a username and password.
Proxy Authentication
Instead of a web server, the authetication challenge is requested by an intermediate proxy. The proxy sends a Proxy-Authenticate header with a 407 Unauthorized status code. In return, the client is supposed to send the credentials via the Proxy-Authorization request header.
Digest Authentication
similar to Basic but uses a more secure hashing function to encrypt the username and password
how to make the web application work over HTTPS?
you need to have a working digital certificate deployed on the server. Once the certificate is verified, the SSL handshake is complete and secure transmission is in effect.
Certificates information
the certificate issuer
the algorithm used for the certificate
the subject name or organization for whom this cert is created
the public key information for the subject
the Certification Authority Signature, using the specified signing algorithm
Private cache
within a browser, caches usernames, passwords, URLs, browsing history and web content. They are generally small and specific to a user
Public cache
deployed as caching proxies between the server and client. These are much larger because they serve multiple users. A common practice is to keep multiple caching proxies between the client and the origin-server. This helps to serve frequently accessed content, while still allowing a trip to the server for infrequently needed content.