Sumeet Prajapati

Posted on May 19

HTTP / HTTPS Communication Protocol

#webdev #security #computerscience #web

What is HTTP?

HTTP (HyperText Transfer Protocol), is an application layer protocol used for transmitting hypertext over the Internet.

It is the foundation of data communication for the WWW (World Wide Web), facilitating the exchange of information such as HTML documents, images, videos, and other multimedia between web servers and clients (typically web browsers).

In simple terms, HTTP is like a postman of the internet. It helps to deliver letters (which are like the websites or pictures you see) from the internet to your phone and computer.

What is HTTPS?

HTTPS stands for HyperText Transfer Protocol Secure. It is an extension of HTTP (HyperText Transfer Protocol) that adds a layer of security to the communication between a user's web browser and the web server.

This security is achieved through encryption, ensuring that data transferred over the internet is protected from interception and tampering.

In simple terms, HTTPS is like a postman who puts your letter in a special locked box so only the person you're sending it to can read it, and he makes sure the letter goes to the right person.

Origin and History

In the early 1990s, Tim Berners-Lee and his team at CERN developed HTTP as part of the project that also introduced the world's first web browser, World Wide Web, and web server. This protocol made it easy for researchers to share documents across various systems.

Why was HTTP created? and what problems does it solve?

HTTP was developed to resolve several significant issues in early computer networking and hypertext systems:

Interoperability: Various systems (hardware, operating systems, and applications) required a standardised method for communication over the Internet. HTTP offers a universal language for these interactions.
Resource Access: Before HTTP, accessing diverse types of resources over a network was complicated and inconsistent. HTTP standardises the request and delivery of resources, simplifying the development and usage of web services.
User-Friendly Navigation: The creation of the World Wide Web needed a protocol that could support hypertext links, allowing users to navigate smoothly between web pages.

Where is it used today?

HTTP is integral to modern web browsing and web development. Here's how it's used today:

Web Browser

Users interact with HTTP primarily through web browsers. When you enter a URL in the browser's address bar, the browser sends an HTTP request to the server hosting the website. The server responds with the requested web page, which the browser renders.

Example: Accessing a website

URL: https://www.google.com
Browser sends a GET request: GET / HTTP/1.1 Host: www.google.com
Google’s server responds with the HTML content of the homepage.

Web Development

In web development, HTTP methods are used to perform various operations. For example:

GET: Retrieve data from the server.
POST: Submit data to the server.
PUT: Update existing data on the server.
DELETE: Delete data from the server.

Example: Sending a POST request to a server using html <form>:

<form action="/submit-data" method="POST">
  <input type="text" name="name" />
  <button type="submit">Submit</button>
</form>

APIs

Developers use HTTP to interact with web services through APIs. APIs allow different software systems to communicate with each other using HTTP requests and responses.

Example: Making an API request using curl:

curl -X GET "https://www.example.com/data" -H "Authorization: Bearer token"

Example: Using javascript’s fetch api:

fetch('https://api.example.com/data', {
  headers: { 'Authorization': 'Bearer token' }
})
  .then(response => response.json())
  .then(data => console.log(data))
  .catch(error => console.error('Error:', error));

How HTTP works? A high level overview

HTTP functions as a request-response protocol within the client-server model:

Client Request: A client, often a web browser, sends an HTTP request to a server. This request includes:
- Method: Indicates the desired action (such as GET, POST, PUT, DELETE, etc.). Lead more about HTTP methods here.
- URL: The resource's address.
- Headers: Additional information about the request (like content type, user agent).
- Body: Optional data included with the request (mainly for POST and PUT methods).
Server Processing: The server processes the received request by:
- Analysing the request.
- Retrieving or processing the requested resource.
- Conducting any needed backend operations.
Server Response: The server replies with an HTTP response, which contains:
- Status Line: The HTTP version, status code (like 200 OK, 404 Not Found, etc.), and reason phrase. Lead more about HTTP status here.
- Headers: Additional information about the response (like content type, content length).
- Body: The requested resource or data.

HTTP vs HTTPS some key differences

Security:

HTTP: Data is transmitted in plain text and can be intercepted and read by anyone.
HTTPS: Data is encrypted using TLS/SSL, which protects it from interception and tampering.

Authentication:

HTTP: It doesn't provide any mechanism to verify the server's identity.
HTTPS: It uses digital certificates to confirm the server’s identity, assuring users they are connecting to the correct website.

Performance:

HTTP: It's generally faster because it has fewer overheads as no encryption/decryption processes are involved.
HTTPS: It's slightly slower due to the encryption/decryption overhead, but the performance impact is typically minimal with modern hardware and optimisations.

Trust Indicators:

HTTP: Browsers often show a warning for sites not using HTTPS, particularly if the site manages sensitive information.
HTTPS: Browsers show a padlock icon in the address bar to indicate a secure connection. Some sites might also use Extended Validation (EV) certificates, which display the organisation’s name in the address bar for added trust.
HTTP: Data is sent in plain text and can be intercepted and read by anyone.
HTTPS: Data is encrypted using TLS/SSL, protecting it from interception and tampering.

Evolution of HTTP over the years

HTTP has significantly evolved to enhance performance, security, and capabilities:

HTTP/0.9 (1991): This first version was simple, supporting only the GET method and serving raw HTML without headers or status codes.
HTTP/1.0 (1996): Introduced in RFC 1945, this version added HTTP headers, status codes, and support for various content types, greatly expanding functionality.
HTTP/1.1 (1997): Defined in RFC 2068 and later updated in RFC 2616, it brought several key improvements:
- Persistent Connections: Connections can be reused for multiple requests/responses, reducing latency.
- Chunked Transfer Encoding: Data can be sent in chunks, useful for streaming vast amounts of data.
- Additional Methods: It added more HTTP methods (e.g., OPTIONS, PUT, DELETE).
- Caching Mechanisms: It improved cache control to decrease redundant data transfers.
HTTP/2 (2015): Published as RFC 7540, it aimed to improve performance and efficiency:
- Binary Protocol: It switched from text-based to binary framing for quicker parsing and reduced latency.
- Multiplexing: It allows for multiple requests/responses to be sent simultaneously over a single connection.
- Header Compression: It uses HPACK to reduce overhead.
- Server Push: It enables servers to preemptively send resources to clients.
HTTP/3 (Ongoing): Currently in development and early deployment RFC 9114, based on QUIC (a transport layer protocol over UDP):
- Reduced Latency: It provides faster connection establishment and reduced latency by eliminating TCP's handshake overhead.
- Improved Security: It has integrated encryption from the start, enhancing security.

Visit this link to get a better understanding of individual features added with each version.

Who Makes the HTTP Work?

The Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C) primarily handle the creation, development, and maintenance of HTTP and its versions.

Internet Engineering Task Force (IETF)

The IETF is an open standards organisation that develops and promotes voluntary Internet standards, mostly in relation to the TCP/IP protocol suite. Here's how the IETF interacts with HTTP:

Certain working groups within the IETF concentrate on different aspects of web protocols. The HTTP Working Group (HTTP WG) is in charge of creating and maintaining the standards for HTTP.

The IETF releases specifications through Request for Comments (RFCs). These documents undergo extensive peer review and refinement before they are finalised. Each major version of HTTP is described in an RFC:

HTTP/0.9: W3C 1991
HTTP/1.0: RFC 1945
HTTP/1.1: RFC 2068, later updated to RFC 2616
HTTP/2: RFC 7540
HTTP/3: RFC 9114

The IETF functions based on a consensus approach. Proposed modifications and new features are debated and reviewed by the working group members and the wider IETF community, including implementers, researchers, and other stakeholders.

World Wide Web Consortium (W3C)

The W3C is an international community that develops open standards to promote the long-term growth of the Web. While the IETF is responsible for the core HTTP protocol, the W3C plays a significant role in related web standards, such as HTML, CSS, and various web APIs. Collaboration between the IETF and W3C ensures seamless integration of web technologies.

The W3C and IETF work together to ensure that developments in HTTP align with broader web standards. This coordination helps ensure new HTTP features support the requirements of modern web applications.

The W3C establishes standards for technologies that utilise HTTP, promoting interoperability and consistency across different web browsers and platforms.

The Process of Developing HTTP Standards

The process often begins with individuals or organisations proposing new features or updates to the HTTP protocol. These proposals are usually documented in Internet-Drafts, which are preliminary versions of Request for Comments (RFCs).
The HTTP WG (Working Group) discusses these proposals. Discussions may occur via mailing lists, working group meetings, and conferences.
Multiple stakeholders frequently implement and test proposed changes to assess their effectiveness and interoperability. This implementation feedback fuels further refinements.
Once the working group reaches a consensus, the proposal is submitted for approval. It undergoes a comprehensive review process to ensure it meets the required standards for security, performance, and compatibility.
Once approved, the final document is published as an RFC, serving as the official specification for the protocol or feature.
The protocol undergoes continuous review and updates as needed. Issues, bugs, and new requirements are addressed through updates to existing RFCs or the creation of new ones.

Key Organisations and Figures

Tim Berners-Lee: Often recognised as the inventor of the World Wide Web, Berners-Lee developed the initial version of HTTP in 1989 while employed at CERN.

HTTP Working Group (HTTP WG): This team within the IETF presently oversees the continual development and upkeep of the HTTP protocol. Composed of engineers, researchers, and professionals from diverse organisations, the group collaborates to enhance and advance HTTP.

Chairs and Editors: Each working group includes chairs and editors who guide discussions and oversee the documentation process. These individuals play pivotal roles in steering the evolution of HTTP standards.

Conclusion

HTTP is a foundational protocol that powers the World Wide Web. It has transformed significantly since its inception, adjusting to technological advancements and the growing needs of internet users.

Today, HTTP is vital for web browsing, API interactions, and web development, offering a sturdy framework for data exchange over the Internet. A deep understanding of HTTP's history, operations, and current applications is pivotal for anyone engaged in web technologies.

Visit the below links to learn more about HTTP / HTTPS and web standards in general.

IETF - https://www.ietf.org/

W3C - https://www.w3.org/

CERN - https://home.cern/

MDN - https://developer.mozilla.org/en-US/docs/Web/HTTP