11. HTTPS
Although, it is powerful and flexible; the HTTP protocol is not suitable for use in a wide range of applications because it can be so easily monitored and replayed. For example, someone using a network monitor can easily capture passwords used to access a banking web site or replay requests that trigger financial transactions.
The Secure Sockets Layer (SSL) was designed to encrypt any TCP/IP based network traffic and provide the following capabilities:
- Prevents eavesdropping
- Prevents tampering or replaying of messages
- Uses certificates to authenticate servers and optionally clients
The HTTPS protocol is the same text based protocol as HTTP but is run over an encrypted SSL session. There is some addition overhead in setting up an HTTPS session, as the client and server need to create a shared secret key by using a public / private key handshake. But once the connection is setup it works exactly like HTTP and has the same capabilities, e.g. headers, cookies, caching, authentication, redirection, etc...
For more information on HTTPS and the underlying Secure Sockets Layer see RFC 2818..
Example 11
The button below allows you to switch between HTTP and HTTPS. You may want to switch to HTTPS and try the examples again in previous sections of the HTTP gallery.
Current Protocol: HTTPS (encrypted)
Using HttpWatch with Example 11
HttpWatch shows the same level of detail regardless of which protocol you are using.
- Open HttpWatch by right clicking on the web page and selecting HttpWatch from the context menu
- Click on Record to start logging requests in HttpWatch
- Click on the Switch button above to change between HTTP and HTTPS