World Library  
Flag as Inappropriate
Email this Article

Secure Hypertext Transfer Protocol

Article Id: WHEBN0003418152
Reproduction Date:

Title: Secure Hypertext Transfer Protocol  
Author: World Heritage Encyclopedia
Language: English
Subject: Hypertext Transfer Protocol, HTTPS, Distributed Social Networking Protocol, File URI scheme, Content reference identifier
Collection: Cryptographic Protocols, Hypertext Transfer Protocol
Publisher: World Heritage Encyclopedia

Secure Hypertext Transfer Protocol

Secure Hypertext Transfer Protocol (S-HTTP) is a little-used alternative to the HTTPS protocol for encrypting web communications carried over HTTP. It was developed by Eric Rescorla and Allan M. Schiffman, and published in 1999 as RFC 2660.

Web browsers typically use HTTP to communicate with web servers, sending and receiving information without encrypting it. For sensitive transactions, such as Internet e-commerce or online access to financial accounts, the browser and server must encrypt this information. HTTPS and S-HTTP were both defined in the mid-1990s to address this need. S-HTTP was used by Spyglass's web server,[1] while Netscape and Microsoft supported HTTPS rather than S-HTTP, leading to HTTPS becoming the de facto standard mechanism for securing web communications.

Differences from HTTPS

S-HTTP encrypts only the served page data and submitted data like POST fields, leaving the initiation of the protocol unchanged. Because of this, S-HTTP could be used concurrently with HTTP (unsecured) on the same port, as the unencrypted header would determine whether the rest of the transmission is encrypted.

In contrast, HTTPS wraps the entire communication within SSL, so the encryption starts before any protocol data is sent. This creates a "chicken and egg" issue with determining which DNS name was intended for the request, which means that implementations without Server Name Indication support require a separate IP per DNS name, and all implementations require a separate port (usually 443 vs. HTTP's standard 80)[2] for unambiguous use of encryption (treated in most browsers as a separate URI protocol, https://'').

In S-HTTP, the desired URL isn't transmitted in the cleartext headers, but left blank; another set of headers is present inside the encrypted payload. In HTTPS, all headers are inside the encrypted payload, and the HTTPS server application does not generally have the opportunity to gracefully recover from TLS fatal errors (including 'client certificate is untrusted' and 'client certificate is expired').


  1. ^ Booker, Ellis (27 March 1995). "Web servers move in different directions". Computerworld. 
  2. ^ Overview of S-HTTP
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.