HTTP Communication Process

shows the HTTP-based information exchange process in a client-server model. The process consists of four steps: establishing a connection, sending a request, sending a response, and closing the connection.

1. An HTTP client initiates a connection request to an HTTP server.
2. After the connection is established, the HTTP client sends a request message to the HTTP server.
3. After receiving the request message, the HTTP server sends a response message to the HTTP client.
4. After receiving the response message, the HTTP client sends a request for closing the connection.

HTTP Using SSL

HTTP does not have any security mechanism. It transmits data in clear text and does not authenticate either communication party. Therefore, data transmitted over such a protocol is vulnerable to tampering, sacrificing transmission security. The SSL protocol uses data encryption, identity authentication, and message integrity check to ensure the security of TCP-based application layer protocols. HTTPS uses SSL to ensure HTTP security and can be understood as simply HTTP plus SSL. The URL of a secure connection starts with https:// instead of https://.

When SSL is used for data transmission, the HTTP client initiates a connection to an appropriate port of the HTTP server, and sends a ClientHello message to start the SSL handshake. After the SSL handshake is complete, the HTTP client initializes the first HTTP request. All HTTP data must be sent as SSL application data.

Certificates are required for HTTPS connections. Before applying for a certificate, you need to understand the following concepts:

Digital certificate

A digital certificate is issued by a certificate authority (CA) to certify the ownership of a public key by the named subject of the certificate. (A certificate applicant becomes the certificate subject after obtaining the certificate.) A digital certificate includes the subject name, public key, digital signature of the CA, and the certificate's validity period; it authenticates both communication parties for more reliable communication.

The device supports certificates in PEM, ASN1, and PFX formats. Certificates have the same content regardless of format.

• The PEM (.pem) digital certificate is common. It is used for text transmission between systems.
• The ASN1 (.der) format is a universal digital certificate format. It is the default format for most browsers.
• The PFX (.pfx) format is a universal digital certificate format. It is a binary format that can be converted into PEM or ASN1 format.

CA

A CA is an entity that issues, manages, and revokes digital certificates. It validates the identities of digital certificate holders, issues digital certificates (that is signing digital certificates to prevent certificates from being forged or tampered with), and manages certificates and cryptographic keys. The globally trusted CA is called a root CA, and can authorize other CAs as subordinate CAs. The CA identity is described in a trusted CA file.

For example, CA1 functions as the root CA and issues a certificate for CA2. CA2 then issues a certificate for CA3 and so on, until CAn issues the final server certificate.

If CA3 issues the server certificate, then authentication on the client starts from server certificate authentication. The CA3 certificate is used to authenticate the server certificate. If authentication succeeds, the CA2 certificate is used to authenticate the CA3 certificate. Finally, the CA1 certificate is used to authenticate the CA2 certificate. Server certificate authentication succeeds only when the CA2 certificate has been authenticated by the CA1 certificate.

Certificate revocation list (CRL)

A CRL is a list of digital certificates that have been revoked by the issuing CA before their scheduled expiration date and should no longer be trusted.

If a CA revokes a digital certificate, the declaration on authorized key pairs is revoked before the certificate expires. After a certificate in a CRL expires, the certificate is deleted in order to shorten the CRL.