The TCP/IP Guide  9  TCP/IP Application Layer Protocols, Services and Applications (OSI Layers 5, 6 and 7)       9  TCP/IP Key Applications and Application Protocols            9  TCP/IP File and Message Transfer Applications and Protocols (FTP, TFTP, Electronic Mail, USENET, HTTP/WWW, Gopher)                 9  TCP/IP World Wide Web (WWW, "The Web") and the Hypertext Transfer Protocol (HTTP)                      9  TCP/IP Hypertext Transfer Protocol (HTTP)                           9  HTTP Features, Capabilities and Issues

HTTP Proxy Servers and Proxying 1 2 HTTP State Management Using "Cookies"

There are a number of different protocols in this Guide where I address security considerations. Usually, I start out by saying something to the effect that the protocol doesn’t include much in the way of security, because when it was first developed, the Internet was small and used by a tight-knit group, so security wasn’t a big concern. Today, the Internet is globe-spanning and used by millions of strangers, making security a big deal indeed, blah blah blah. J

Well, in the case of the World Wide Web this is true, but the issue is even more important due to the significance of the changes in the content of what HTTP messages carry. HTTP has become the vehicle for transporting any and every kind of information, including a large amount of personal data. HTTP was initially designed to carry academic documents such as memos about research projects, but today is more likely to carry someone’s mortgage application, credit card details or medical details. Thus, not only does HTTP have the usual security issues such as preventing unauthorized access, it needs to deal with privacy concerns as well.

The main HTTP/1.1 standard, RFC 2616, also does not deal extensively with security matters. These are addressed in detail instead in the companion document, RFC 2617, which explains the two methods of HTTP authentication. Highly summarized, they are:

• Basic Authentication: This is a conventional user/password type of authentication. When a client sends a request to a server that requires authentication to access a resource, the server sends a response to the client’s initial request that contains a WWW-Authenticate header. The client then sends a new request containing the Authorization header, which carries a base64-encoded username and password combination.
  
  
• Digest Authentication: Basic authentication is not considered strong security because it sends credentials “in the clear”, which means that they can be intercepted. Digest authentication uses the same headers as basic authentication, but employs more sophisticated techniques, including encryption, that protect against a malicious person “snooping” credentials information. Digest authentication is not considered as strong as public key encryption, but is a lot better than basic authentication. It’s also a darn sight more complicated. The full details of how it works are in RFC 2617.

HTTP Proxy Servers and Proxying 1 2 HTTP State Management Using "Cookies"