HTTP and Security

Rescorla and Schiffman (1994) provide the rationale for security products related to the World Wide Web:

The ease of use of the Web has prompted widespread interest in its employment as a client/server architecture for many applications. Many such applications require the client and server to be able to authenticate each other and exchange sensitive information confidentially. Current HTTP implementations have only modest support for the cryptographic mechanisms appropriate for such transactions.

There are at least two competing security schemes for the World Wide Web (Wilder 1995):

Secure HTTP: Secure HTTP is used by Spry, Syglass, Open Market, and CommerceNet. It provides encryption/decryption and user authentication. Secure HTTP operates at the application layer and thus provides security for World Wide Web services only. The advantage of Secure HTTP is that it is compatible with several different browsers. A draft description of Secure HTTP is available (Rescorla and Schiffman 1994), as well as a demonstration (EIT 1995) .
Secure Sockets Layer (SSL): Secure Sockets Layer (SSL) is Netscape's security protocol. It provides encryption/decryption services at the socket level and is thus usable for all Internet services. However, as of March 1995 only the Netscape Navigator was actually using SSL to provide security.

Secure HTTP, provided by EIT, has a particularly rich set of security measures (Rescorla and Schiffman 1994):

Secure HTTP (S-HTTP) provides secure communication mechanisms between an HTTP client-server pair in order to enable spontaneous commercial transactions for a wide range of applications. Our design intent is to provide a flexible protocol that supports multiple orthogonal operation modes, key management mechanisms, trust models, cryptographic algorithms and encapsulation formats through option negotiation between parties for each transaction. ...
Secure HTTP supports a variety of security mechanisms to HTTP clients and servers, providing the security service options appropriate to the wide range of potential end uses possible for the World-Wide Web. The protocol provides symmetric capabilities to both client and server (in that equal treatment is given to both requests and replies, as well as for the preferences of both parties) while preserving the transaction model and implementation characteristics of the current HTTP.

Netscape has made SSL freely available and is encouraging its implementation in other products. According to Netscape (Netscape 1995):

The Netscape Navigator supports a new URL access method, "https", for connecting to HTTP servers using SSL. SSL is designed to layer beneath application protocols such as HTTP, SMTP, Telnet, FTP, Gopher, and NNTP. SSL is layered above the connection protocol TCP/IP.
"https" is a unique protocol that is simply SSL underneath HTTP. You need to use "https://" for HTTP URLs with SSL, whereas you continue to use "http://" for HTTP URLs without SSL. The default "https" port number is 443, as assigned by the Internet Assigned Numbers Authority.

More information about SSL is available from Netscape (Netscape 1995).

As with all things related to the World Wide Web, security is in a state of flux and what actually emerges as the de jure standard may be either or neither of these, or some combination of these features such as encryption/decryption at the socket level and user authentication at the application level.

A brief discussion of security concerns related to HTTP may be found in (CERN 1995).