httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From geb...@ameritech.net
Subject Re: [users@httpd] How does HTTPS work?
Date Tue, 01 Apr 2003 02:42:46 GMT

I think you're mixing up http(s) headers and packet headers.  The latter 
are visible to the proxy server but not the former.

ken

At 10:16 (UTC-0800) on Mon, 31 Mar 2003 Rufoo said:

= What misled me is that I forgot that HTTPS
= communication takes over a totally different port -
= 443 and not 80, that is both http and https cannot go
= over the same wire. 
= 
= Now, how do proxies work for https? proxies rely on
= the http(s) headers, which are now not available.
= Also, what is the semantics for page caching? 
= 
= Thanks
= rf
= 
= 
= --- Jurgen <apache@squarehosting.com> wrote:
= > Well rf,
= > 
= > there are no headers to see because all of it is
= > encrypted. You will not be able to read anything at
= > all.
= > Imagine the web server set's a cookie as a session
= > id for a login into sensitive data. The browser
= > would submit the cookie in the http headers and
= > anyone listening could simply join the session and
= > act as the actual owner of the account with the
= > sensitive data.
= > The connection established between the client and
= > server is an encrypted connection where absolutely
= > everything is encrypted through a secure socket.
= > That's why it is called secure socket layer (SSL)
= > and not secure http layer, which could be the name
= > of what you seem to think.
= > The secure socket layer is simply a layer between
= > tcp and http. Somehow embeded in the secure socket
= > layer is a regular http connection.
= > 
= > You also seem to have a wrong perception of headers.
= > A http connection is not really something
= > sophisticated from the transmission point of view.
= > The client simply transmitts a chunk of text and the
= > server answers with another junk. That's it. Not
= > even the headers are transmitted in a seperate way.
= > They are simply the start of this junk of text
= > seperated by 2 line breaks. In https when these
= > headers are transmitted they are just a part of the
= > encrypted chunk of text and therefore you can't read
= > them.
= > 
= > If there is anything you don't understand now let us
= > know.
= > 
= > Jurgen
= > 
= > 
= > On Mon, 31 Mar 2003 03:04:05 -0800 (PST)
= > Rufoo <rufoo2001@yahoo.com> wrote:
= > 
= > > 
= > > --- Boyle Owen <Owen.Boyle@swx.com> wrote:
= > > > >-----Original Message-----
= > > > >From: Rufoo [mailto:rufoo2001@yahoo.com]
= > > > >
= > > > >For a https:// url, after the browser and
= > server
= > > > >negotiate on the certificates and the sessoin
= > key,
= > > > the
= > > > >browser encrypts all the communication with
= > this
= > > > key.
= > > > >I want to see a 'sample HTTPS session', with
= > the
= > > > >browser doing the above and then sending the
= > > > GET/POST
= > > > >request with the encrypted content. Are any
= > > > additional
= > > > >headers sent in the case of HTTPS?
= > > > 
= > > > How can you see the session if it's all
= > encrypted
= > > > :-)
= > > > 
= > > 
= > > 
= > > I do not want to *understand* or *interpret* the
= > data,
= > > I just want to see the HTTP Headers (which I dont
= > > think are encrypted) followed by the MIME part of
= > the
= > > encrypted data(Yeah this another question - is the
= > > encrypted data sent as HTTP body or as a MIME
= > part?).
= > > 
= > > 
= > > > The HTTPS protocol is quite different from HTTP
= > - it
= > > > starts off with
= > > > client_hello and server_hello and so on. Once
= > the
= > > > session is
= > > > established, it is plain HTTP but all requests
= > and
= > > > responses are
= > > > encrypted. Check out the mod_ssl docs for an
= > > > overview
= > > > (http://www.modssl.org/docs/2.8/ssl_intro.html)
= > and
= > > > the refs therein
= > > > (esp.
= > http://wp.netscape.com/eng/ssl3/draft302.txt) 
= > > > 
= > > 
= > > This doc says the SSL layer sits in between TCP
= > and
= > > HTTP. So I am interested in what SSL write over
= > TCP.
= > > I do not want it all, just a simple example as
= > > ordinary HTTP is explained in
= > > http://www.jmarshall.com/easy/http/
= > > 
= > > 
= > > > >
= > > > >Looking at the RAW HTTP data, can one identify
= > if
= > > > its
= > > > >a http session or https session?
= > > > 
= > > > If you can read it, it's not HTTPS...
= > > > 
= > > 
= > > Now that I have explained what I am really looking
= > > for, I ask this again: When the SSL layer writes
= > to
= > > the TCP layer, does it put any additional headers
= > that
= > > identifies that this URL has an 'https'. Do not
= > say
= > > that if you cannot read the body content it is
= > https -
= > > I might be sending the same over plain http too. I
= > > hope you get it.
= > > 
= > > Thanks again, and if this is not related to this
= > > mailing list, please let me know who can me help
= > me.
= > > -rf
= > > 
= > > 
= > > 
= > > 
= > > 
= > > __________________________________________________
= > > Do you Yahoo!?
= > > Yahoo! Platinum - Watch CBS' NCAA March Madness,
= > live on your desktop!
= > > http://platinum.yahoo.com
= > > 
= > >
= >
= ---------------------------------------------------------------------
= > > The official User-To-User support forum of the
= > Apache HTTP Server Project.
= > > See <URL:http://httpd.apache.org/userslist.html>
= > for more info.
= > > To unsubscribe, e-mail:
= > users-unsubscribe@httpd.apache.org
= > >    "   from the digest:
= > users-digest-unsubscribe@httpd.apache.org
= > > For additional commands, e-mail:
= > users-help@httpd.apache.org
= > 
= >
= ---------------------------------------------------------------------
= > The official User-To-User support forum of the
= > Apache HTTP Server Project.
= > See <URL:http://httpd.apache.org/userslist.html> for
= > more info.
= > To unsubscribe, e-mail:
= > users-unsubscribe@httpd.apache.org
= >    "   from the digest:
= > users-digest-unsubscribe@httpd.apache.org
= > For additional commands, e-mail:
= > users-help@httpd.apache.org
= > 
= 
= 
= __________________________________________________
= Do you Yahoo!?
= Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
= http://platinum.yahoo.com
= 
= ---------------------------------------------------------------------
= The official User-To-User support forum of the Apache HTTP Server Project.
= See <URL:http://httpd.apache.org/userslist.html> for more info.
= To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
=    "   from the digest: users-digest-unsubscribe@httpd.apache.org
= For additional commands, e-mail: users-help@httpd.apache.org
= 
= 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message