Making HTTP Safe

People use web transactions for serious things. Without strong security, people wouldn’t feel comfortable doing online shopping and banking. Without being able to restrict access, companies couldn’t place important documents on web servers. The Web requires a secure form of HTTP.

The previous chapters talked about some lightweight ways of providing authentication (basic and digest authentication) and message integrity (digest qop="auth-int”). These schemes are good for many purposes, but they may not be strong enough for large purchases, bank transactions, or access to confidential data. For these more serious transactions, we combine HTTP with digital encryption technology.

A secure version of HTTP needs to be efficient, portable, easy to administer, and adaptable to the changing world. It also has to meet societal and governmental requirements. We need a technology for HTTP security that provides:

Server authentication (clients know they’re talking to the real server, not a phony)
Client authentication (servers know they’re talking to the real user, not a phony)
Integrity (clients and servers are safe from their data being changed)
Encryption (clients and servers talk privately without fear of eavesdropping)
Efficiency (an algorithm fast enough for inexpensive clients and servers to use)
Ubiquity (protocols are supported by virtually all clients and servers)
Administrative scalability (instant secure communication for anyone, anywhere)
Adaptability (supports the ...

Get HTTP: The Definitive Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

HTTP: The Definitive Guide by David Gourley, Brian Totty, Marjorie Sayer, Anshu Aggarwal, Sailu Reddy

Making HTTP Safe

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly