On the Internet billions of electrons pass along thousands of miles of cable every day to and from destinations around the world and beyond.
These electrons carry written messages, visual images, and sound between millions of computers connected to the World Wide Web.
Many of the transmissions contain vital and confidential information that can be used for mischief and fraud by hackers if they gain access to
them—and many do. How can they still get in, with so much technological progress in firewalls and intrusion detection software?
The answer is two numbers: TCP ports 80 and 443.
HyperText Transfer Protocol (HTTP) and HTTP over SSL (HTTPS), which are run through those ports, respectively
These electrons carry written messages, visual images, and sound between millions of computers connected to the World Wide Web.
Many of the transmissions contain vital and confidential information that can be used for mischief and fraud by hackers if they gain access to
them—and many do. How can they still get in, with so much technological progress in firewalls and intrusion detection software?
The answer is two numbers: TCP ports 80 and 443.
HyperText Transfer Protocol (HTTP) and HTTP over SSL (HTTPS), which are run through those ports, respectively
Protocols of the Web
The World Wide Web is an array of protocols that act like traffic cops for the Internet. Packets can be thought of as cars, trucks, and buses on
the information superhighway with protocols being stop signs, traffic lights, and drawbridges. So, by their very definition,
protocols play a crucial role in managing the day-to-day activities on the Internet.
As a result, they are especially important to hackers who want to take advantage of their flaws (and sometimes their features).
In this chapter we discuss the major protocols of e-commerce and how hackers attempt to alter them for their own gain.
We also describe a number of free tools that take advantage of these protocols, automating much of the heavy lifting.
HTTP
Without a doubt, HTTP is the most ubiquitous protocol in use on the Internet.
Every Web browser and server must communicate over this protocol in order to exchange information.
There have been three major versions of the protocol, all of which maintained the same fundamental structure.
HTTP is a request/response stateless protocol that allows computers to talk to each other rather efficiently and carry on conversations
lasting hours, days, and weeks at a time.
Although the HTTP/1.0 specification currently in use is a far cry from the original specification proposed by Tim Berners-Lee in March 1990,
the fundamental features of HTTP haven't changed all that much.
H\
http://host [ ":" port ] [ absolute_path ]
The host is the hostname desired, the port is the place to put an optional port number, and absolute_path is the resource requested.
HTTP Response
An HTTP request from a client is handled by the server and responded to accordingly. To respond, the server sends back a series of message
components that can be categorized as follows:
· Response code—a numeric code that corresponds to an associated response.
· Header fields—additional information about the response.
· Data—the content or body of the response.
With these three components, the client browser understands the server's response and interacts with the server.
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a Web protocol developed by Netscape and built into its browser that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS is really just the use of Netscape's Secure Socket Layer (SSL) as a sublayer under its regular HTTP application layering. (HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.) SSL uses a 40-bit key size for the RC4 stream encryption algorithm, which is considered an adequate degree of encryption for commercial exchange.
Although it may be encrypted does not mean its safe, there are tools out there to decrypt the information being sent over the wire, although its more difficult to do so.
0 comments: