Please Whitelist This Site?

I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)

If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.

If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.

Thanks for your understanding!

Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide


NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.

The Book is Here... and Now On Sale!

Enjoy The TCP/IP Guide? Get the complete PDF!
The TCP/IP Guide

Custom Search







Table Of Contents  The TCP/IP Guide
 9  TCP/IP Application Layer Protocols, Services and Applications (OSI Layers 5, 6 and 7)
      9  TCP/IP Key Applications and Application Protocols
           9  TCP/IP File and Message Transfer Applications and Protocols (FTP, TFTP, Electronic Mail, USENET, HTTP/WWW, Gopher)
                9  TCP/IP World Wide Web (WWW, "The Web") and the Hypertext Transfer Protocol (HTTP)
                     9  TCP/IP Hypertext Transfer Protocol (HTTP)
                          9  HTTP Features, Capabilities and Issues

Previous Topic/Section
HTTP Proxy Servers and Proxying
Previous Page
Pages in Current Topic/Section
1
2
Next Page
HTTP State Management Using "Cookies"
Next Topic/Section

HTTP Security and Privacy
(Page 1 of 2)

There are a number of different protocols in this Guide where I address security considerations. Usually, I start out by saying something to the effect that the protocol doesn’t include much in the way of security, because when it was first developed, the Internet was small and used by a tight-knit group, so security wasn’t a big concern. Today, the Internet is globe-spanning and used by millions of strangers, making security a big deal indeed, blah blah blah. J

Well, in the case of the World Wide Web this is true, but the issue is even more important due to the significance of the changes in the content of what HTTP messages carry. HTTP has become the vehicle for transporting any and every kind of information, including a large amount of personal data. HTTP was initially designed to carry academic documents such as memos about research projects, but today is more likely to carry someone’s mortgage application, credit card details or medical details. Thus, not only does HTTP have the usual security issues such as preventing unauthorized access, it needs to deal with privacy concerns as well.

HTTP Authentication Methods

The main HTTP/1.1 standard, RFC 2616, also does not deal extensively with security matters. These are addressed in detail instead in the companion document, RFC 2617, which explains the two methods of HTTP authentication. Highly summarized, they are:

  • Basic Authentication: This is a conventional user/password type of authentication. When a client sends a request to a server that requires authentication to access a resource, the server sends a response to the client’s initial request that contains a WWW-Authenticate header. The client then sends a new request containing the Authorization header, which carries a base64-encoded username and password combination.

  • Digest Authentication: Basic authentication is not considered strong security because it sends credentials “in the clear”, which means that they can be intercepted. Digest authentication uses the same headers as basic authentication, but employs more sophisticated techniques, including encryption, that protect against a malicious person “snooping” credentials information. Digest authentication is not considered as strong as public key encryption, but is a lot better than basic authentication. It’s also a darn sight more complicated. The full details of how it works are in RFC 2617.

Previous Topic/Section
HTTP Proxy Servers and Proxying
Previous Page
Pages in Current Topic/Section
1
2
Next Page
HTTP State Management Using "Cookies"
Next Topic/Section

If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005

© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.