This is the first of a series of posts about HTTP/S that you will find in this blog during the next days. I will explain technical aspects about these protocols, how they work, how to test and validate connections, sites and certificates. I will also write about the encryption algorithms and more.
HTTP Connection
First of all, let’s analyze what a browser needs to do to display the website/application that we request.
Imagine you want to open the website http://www.google.com and you type the address in the address bar.
The browser first needs to connect to the server which hosts the site but for that to happen it needs to know the server IP. It makes a DNS query to the DNS server asking the IP address or addresses.
In plain text it would be something like this:
#nslookup google.com Server: 172.20.25.24 Address: 172.20.25.24#53 Non-authoritative answer: Name: google.com Addresses: 2607:f8b0:4000:803::1005 173.194.46.9 173.194.46.7 173.194.46.3 173.194.46.14 173.194.46.2 173.194.46.8 173.194.46.6 173.194.46.4 173.194.46.1 173.194.46.0 173.194.46.5
After making this query the browser selects one of them and establishes a TCP connection to the port 80 of the server with the selected IP address. I will make this connection with ncat to simulate the process:
# ncat 173.194.46.9 80
If the TCP connection started by the browser is successful then it asks for the application under the domain you specified in the address bar. In the form of the HTTP protocol:
# ncat 173.194.46.9 80 GET / HTTP/1.1 Host: www.google.com
The server sends the response as HTTP protocol with HTTP headers – body and finally the browser extracts all this information and sends it to the engine to be rendered and displayed it in the screen.
HTTP/1.1 302 Found Location: http://www.google.com.mx/ Cache-Control: private Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=2b72ebdb0be8ed0d:FF=0:TM=1356032320:LM=1356032320:S=l-CTizrywMG3GXXR; expires=Sat, 20-Dec-2014 19:38:40 GMT; path=/; domain=.google.com Set-Cookie: NID=67=dqEUHeOSZsR3K6hgUCDM-VxVJaxODX-GNvyJfXJsdjSj1L2ze_47R02CVZw2cAl_kciC6unhtm8ZIzCJc48D1_iiljffmRDu3OMJ7IDV5s4z2Abp0_toCtmu1G4zBa4l; expires=Fri, 21-Jun-2013 19:38:40 GMT; path=/; domain=.google.com; HttpOnly P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info." Date: Thu, 20 Dec 2012 19:38:40 GMT Server: gws Content-Length: 222 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN
Because the protocol is HTTP the content of the requests and responses are in plain text. Once established the connection between the server and the client (browser) all the communcation flows in the same way.
HTTPS Connection
With HTTPS the things are a little bit different. After the TCP connection and before de HTTP request there is a negotiation also between the client – server but by SSL/TLS protocol. This protocol is responsible for making the connection and the data secure.
The web browsers have an engine called Public Key Infrastructure also known as PKI. This handles the connections by HTTPS among other encrypted connections.
We can check the SSL negotiation with openssl and its client feature.
Before analyzing the next url (https://www.google.com) I will explain a few things.
When the browser detects an “https” into the address bar it connects by TCP to the port 443 instead of the port 80 as in “http”.
The reason of this is that the port 80 expects an HTTP request method as the first command it receives, a command like GET / POST / TRACE / OPTIONS / HEAD / CONNECT / PUT / DELETE, but by protocol, the HTTPS does not send the HTTP method immediately after the TCP connection, instead it starts a handshake called TLS handshake to encrypt all the data that will be send and receive by such port.
Let’s see how this handshake looks like:
# openssl s_client -state -connect www.google.com:443 CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDITCCAoqgAwIBAgIQT52W2WawmStUwpV8tBV9TTANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x MzA5MzAyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA3rcmQ6aZhc04pxUJuc8PycNVjIjujI0oJyRLKl6g2Bb6YRhLz21ggNM1QDJy wI8S2OVOj7my9tkVXlqGMaO6hqpryNlxjMzNJxMenUJdOPanrO/6YvMYgdQkRn8B d3zGKokUmbuYOR2oGfs5AER9G5RqeC1prcB6LPrQ2iASmNMCAwEAAaOB5zCB5DAM BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0 ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF AAOBgQAhrNWuyjSJWsKrUtKyNGadeqvu5nzVfsJcKLt0AMkQH0IT/GmKHiSgAgDp ulvKGQSy068Bsn5fFNum21K5mvMSf3yinDtvmX3qUA12IxL/92ZzKbeVCq3Yi7Le IOkKcGQRCMha8X2e7GmlpdWC1ycenlbN0nbVeSv3JUMcafC4+Q== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA --- No client certificate CA names sent --- SSL handshake has read 1772 bytes and written 307 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: FF198D617DDDB8CBDB6766C191D5EE1882761F34C4F4C9C5DC9077AC2D0229D1 Session-ID-ctx: Master-Key: 02AA3B39DCAB1DAAF57AC9E5C70DA305C45C20CC2615250AB9C9C8D6E02BA80E670B43247AE27F6A0E7A61F84C8ABDEF Key-Arg : None Start Time: 1356062682 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---
After a successful handshake the port is ready for receiving HTTP commands.
# openssl s_client -state -connect google.com:443 CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=US/O=Google Inc/CN=Google Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIF/DCCBWWgAwIBAgIKUCYyawAAAAB1rzANBgkqhkiG9w0BAQUFADBGMQswCQYD VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu dGVybmV0IEF1dGhvcml0eTAeFw0xMjEyMDYwODU1MTVaFw0xMzA2MDcxOTQzMjda MGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRUwEwYDVQQDFAwqLmdv b2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANVbVfzED5wsJwvB MthJd0La0SgmKm0arWCccSo/xqrBRkaFln+fU6J+exYCJSAxI/7z1bvEEqUhfhL5 YfTleYcz1YkOPKl8G+sfmoD+gtRJEX8i7+864E2PMhMhelat+49QOgt4XpGzwFyJ SgMacD8/jlsIz+JR/BrE9ozTsc/tAgMBAAGjggPPMIIDyzAdBgNVHSUEFjAUBggr BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJar3XGZYEBWccT9IgbO7f1KyBPA MB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrjaxIkMFsGA1UdHwRUMFIwUKBO oEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3Jp dHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3JsMGYGCCsGAQUFBwEBBFowWDBW BggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5l dEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcnQwDAYDVR0TAQH/ BAIwADCCApUGA1UdEQSCAowwggKIggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5j b22CFiouYXBwZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIW Ki5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNs gg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVr gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29t LmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUu Y29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5l c4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29n bGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIIPKi5nb29nbGVhcGlzLmNu ghQqLmdvb2dsZWNvbW1lcmNlLmNvbYINKi5nc3RhdGljLmNvbYIMKi51cmNoaW4u Y29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0q LnlvdXR1YmUuY29tggsqLnl0aW1nLmNvbYILYW5kcm9pZC5jb22CBGcuY2+CBmdv by5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdvb2dsZS5jb22CEmdvb2dsZWNv bW1lcmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUuYmWCC3lvdXR1YmUuY29tMA0G CSqGSIb3DQEBBQUAA4GBALzbzbHGJ/Hh2TgY+u4QEPStP8wto66SN5moJCEAvcni 4crVEwayKhp6JprUTsiC8D3r4NPj+avoZ9UXN1axgctcuJxMWt0UcnrH71J0hWNM v6UdT7iXlxVh2oslpIksSw2bf0H7PUQQjFCMLVbiEMAQbXal4+SsyYB+GsPVvlR+ -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority --- No client certificate CA names sent --- SSL handshake has read 2388 bytes and written 307 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 5D3E200EA3FEC49C57B8C00BFA2318872530483E7A024E8AB2BFFD2BF490C52A Session-ID-ctx: Master-Key: AF8100DAA07B166028F95957F4C588D2F7919CD6FC0816B28DB758C199C43CB3A1ECC91C1B54DD20EA63657EA6CC229E Key-Arg : None Start Time: 1356134095 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- GET / HTTP/1.1 Host: www.google.com HTTP/1.1 302 Found Location: https://www.google.com.mx/ Cache-Control: private Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=6ca905cfb23de7b7:FF=0:TM=1356134107:LM=1356134107:S=6Bd4iW4iJ4mHJMgq; expires=Sun, 21-Dec-2014 23:55:07 GMT; path=/; domain=.google.com Set-Cookie: NID=67=ddmjOi-luVmCq2P-yLxz26qU0zNg81B76DoZqL2vTzdHiIvDiHs7JrsBeUszlEhji_nbLANurOajxjUgd1RgFTEjM4aRU0F5P1dapCzRwzFqL3qGnNbjq0FmEuR9tQXW; expires=Sat, 22-Jun-2013 23:55:07 GMT; path=/; domain=.google.com; HttpOnly P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info." Date: Fri, 21 Dec 2012 23:55:07 GMT Server: gws Content-Length: 223 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN
In the next post I will explain technical details about the TLS handshake and how the validation of the certificates works.
One thought on “Web Browsers and HTTP/S connections”
Comments are closed.