Secure hypertext transfer protocol
Encyclopedia
Secure Hypertext Transfer Protocol (S-HTTP) is a little-used alternative to the HTTPS URI scheme for encrypting
web
communications carried over HTTP
. S-HTTP is defined in RFC 2660. It was developed by Eric Rescorla and Allan M. Schiffman.
Web browser
s typically use HTTP to communicate with web server
s, sending and receiving information without encrypting it. For sensitive transactions, such as Internet e-commerce
or online access to financial accounts, the browser and server must encrypt this information.
HTTPS and S-HTTP were both defined in the mid-1990s to address this need. Netscape and Microsoft
supported HTTPS rather than S-HTTP, leading to HTTPS becoming the de facto
standard mechanism for securing web communications.
In contrast, HTTPS wraps the entire communication within SSL, so the encryption starts before any protocol data is sent. This also means that it requires a separate port (usually 443 vs. HTTP's standard 80) and unambiguous usage (treated in most browsers as a separate URI protocol, https://).
In S-HTTP, the desired URL is not transmitted in the cleartext headers, but left blank; another set of headers is present inside the encrypted payload. In HTTPS, all headers are inside the encrypted payload.
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
web
World Wide Web
The World Wide Web is a system of interlinked hypertext documents accessed via the Internet...
communications carried over HTTP
Hypertext Transfer Protocol
The Hypertext Transfer Protocol is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web....
. S-HTTP is defined in RFC 2660. It was developed by Eric Rescorla and Allan M. Schiffman.
Web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
s typically use HTTP to communicate with web server
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
s, sending and receiving information without encrypting it. For sensitive transactions, such as Internet e-commerce
Electronic commerce
Electronic commerce, commonly known as e-commerce, eCommerce or e-comm, refers to the buying and selling of products or services over electronic systems such as the Internet and other computer networks. However, the term may refer to more than just buying and selling products online...
or online access to financial accounts, the browser and server must encrypt this information.
HTTPS and S-HTTP were both defined in the mid-1990s to address this need. Netscape and Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
supported HTTPS rather than S-HTTP, leading to HTTPS becoming the de facto
De facto
De facto is a Latin expression that means "concerning fact." In law, it often means "in practice but not necessarily ordained by law" or "in practice or actuality, but not officially established." It is commonly used in contrast to de jure when referring to matters of law, governance, or...
standard mechanism for securing web communications.
Differences with HTTPS
S-HTTP encrypted only the page data, and data such as POST fields, leaving the initiation of the protocol unchanged. Because of this, S-HTTP could be used concurrently with HTTP (unsecured) on the same port, as the unencrypted header would determine whether the rest of the transmission would be encrypted.In contrast, HTTPS wraps the entire communication within SSL, so the encryption starts before any protocol data is sent. This also means that it requires a separate port (usually 443 vs. HTTP's standard 80) and unambiguous usage (treated in most browsers as a separate URI protocol, https://).
In S-HTTP, the desired URL is not transmitted in the cleartext headers, but left blank; another set of headers is present inside the encrypted payload. In HTTPS, all headers are inside the encrypted payload.