Illustrates HTTP (IV)
In response header field
Accept-Ranges
Used to tell whether a client server can handle a range request to specify access to resources on the server side of a section.
Age
Tell the client, the source server how long ago created a response.
ETag
Tells the client entity identifier.
Location
Directed to a different location and requests resource URI may be in response to the recipient.
Entity header fields
Allow
All HTTP method used to notify the client is able to support the Request-URI of the specified resource.
Content-Encoding
Content encoding will inform the client server to the main part of the entity of choice.
Content-Language
Tell the client, the main use of natural language entities.
Content-Length
It indicates the size of the entity body parts.
Content-Location
The message is given and the main body portion corresponding to the URI.
Content-MD5
The message body is checked whether intact during transmission, and transmission confirmation arrives.
Content-Type
It describes the object within the media type of the entity body.
Expires
The availability of the resource failed to inform the client.
Last-Modified
The final modified resource specified time.
Cookie header field for the service
Cookie working mechanism is user identification and state management. Web Site To manage user status through a Web browser, some data is temporarily written in the user's computer. Then when the user visits the Web site, you can retrieve Cookie issued before the adoption of communication.
Set-Cookie
All HTTP method used to notify the client is able to support the Request-URI of the specified resource.
Cookie
Cookie header field tells the server when the client wants to get HTTP state management support, will be received from the server that contains the Cookie in the request.
Ensure secure HTTPS Web
HTTP shortcomings
Use plain text communication may be eavesdropped
According to the working mechanism of TCP / IP protocol suite, the communication content on all communication lines are likely to prying eyes. Even if a communication has been encrypted, the content of the communication will be to peep.
目前防止窃听的几种对策中,最普及的是加密技术。
一种是将通信加密。HTTP协议中没有加密机制,但可以通过和SSL(Secure Socket Layer,安全套接层)或TLS(Transporter Layer Security,安全层传输协议)的组合使用,加密HTTP的通信内容。与SSL组合使用的HTTP被称为HTTPS(HTTP Secure,超文本传输安全协议)。
另一种是将参与通信的内容本身加密,即把HTTP报文里所含的内容进行加密处理。
不验证通信方的身份就可能遭遇伪装
在HTTP协议通信时,由于不存在确认通信方的处理步骤,任何人都可以发起请求。会存在以下隐患
- 无法确定请求发送至目标的Web服务器是否是按真实意图返回响应的那台服务器。有可能是已伪装的Web服务器。
- 无法确定响应返回到的客户端是否是按真实意图响应接收的那个客户端。有可能是已伪装的客户端。
- 无法确定正在通信的对方是否具备访问权限。因为某些Web服务器上保存着重要的信息,执行发给特定用户通信的权限。
- 无法判断请求时来自何方、出自谁手。
- 即使是无意义的请求也会照单全收。无法阻止海量请求下的DoS攻击(Denial of Service,拒绝服务攻击)。
虽然使用HTTP协议无法确定通信方,但如果使用SSL则可以。SSL不仅提供加密处理,而且还使用了一种被称为证书的手段,可用于确定方。
无法证明报文完整性,可能已遭篡改
没有任何办法确认,发出的请求/响应和接收到的请求/响应是前后相同的。
HTTP+加密+认证+完整性保护=HTTPS
HTTP加上加密处理和认证以及完整性保护后即是HTTPS
HTTPS是身披SSL外壳的HTTP
相互交互密钥的公开密钥加密技术
SSL采用公开密钥加密的加密处理方式。
近代的加密算法中加密算法公开,密钥保密。
公开密钥加密解决了共享密钥加密的困难。公开密钥加密使用一对非对称的密钥。一把叫做私有密钥,另一把叫做公开密钥
HTTPS mixed both encryption and shared key encryption and public key encryption use.
HTTPS secure communication mechanism
Original: Large column diagram HTTP study notes (d)