HTTPS and SHTTP

kpra

Hi,

The Comptia Security+ talks about SHTTP and HTTPS.
In which one is for communication encryption and the other for data encryption.

Then why use HTTPS?rather can use SHTTP for data encryption?

What is the clear difference between these two??

Can anyone explain this?

Thanks.

paul78

HTTPS encrypts the communications layer. Think of it as HTTP running over SSL. SSL is a communications encrytion protocol. Because SSL encrypts communications you can use other application protocols with it such as ftp or smtp. SHTTP which isnt really used anymore encrypts only the data in the HTTPmessage. So with SHTTP, you will see the HTTP transactions unencrypted. Hope that makes sense.

quinnyfly

SHTTP (Secure Hypertext Transfer Protocol) - Application layer encryption protocol
SSL (Secure Sockets layer) - Session layer encryption protocol

HTTP is an application layer protocol and primarily uses port 80, SSL is a session layer protocol and uses port 443.

SHTTP uses symmetric key encryption and only encrypts the message, it is inferior to HTTPS or SSL over HTTP.

I am pretty sure that was about all I needed to know for many of my exams about HTTPS and SSL with regard to their differences.

Darril

Something else to consider related to Security+ is that SHTTP is not in the objectives for the current exam. In the previous version (SY0-201) you needed to understand HTTP vs HTTPS vs SHTTP. However, for the SY0-301 exam, SHTTP is not listed except as an acronym but HTTPS is listed in a few places.

paul78

quinnyfly wrote: »

SHTTP uses symmetric key encryption and only encrypts the message, it is inferior to HTTPS or SSL over HTTP.

I am pretty sure that was about all I needed to know for many of my exams about HTTPS and SSL with regard to their differences.

I can't comment on what is on the exam since I am not familiar with it. But glad to hear that they don't ask about SHTTP which is not used anymore

One clarification. SSL uses symmetric keys as well. The protocol uses an asymmetric encryption algorithm like RSA to first encrypt a random symmetric key to exchange. Then the symmetric key is what's used to encrypt the data using a symmetric algorithm like AES. The reason is that symmetric algorithms are much faster for procssing larger amounts of data.

quinnyfly

paul78 wrote: »

I can't comment on what is on the exam since I am not familiar with it. But glad to hear that they don't ask about SHTTP which is not used anymore

One clarification. SSL uses symmetric keys as well. The protocol uses an asymmetric encryption algorithm like RSA to first encrypt a random symmetric key to exchange. Then the symmetric key is what's used to encrypt the data using a symmetric algorithm like AES. The reason is that symmetric algorithms are much faster for procssing larger amounts of data.

Very good explaination of key exchange with SSL.

kpra

Thanks all for the replies.

joebanny

Here is my take on this in a layman's language: HTTPS (which is SSL over HTTP) secures the entire communicatin channel between 2 communicating systems while S-HTTP attempts to provide security by securing individual transactions between 2 systems but not the entire channel. So HTTPS provides better security. I hope it is layman enough!