12

I want to communicate from an embedded device that only has SSL for encryption with an intranet-server that can receive HTTPS.

Will SSL encrypted HTTP string be interpreted as HTTPS? or is there more to HTTPS than just sending a HTTP string over SSL?

Rafael Emshoff
  • 313
  • 2
  • 10
  • 2
    You can't just "encrypt" a string using SSL and pass it to any webserver's SSL port at-is. SSL is a protocol that involves active handshaking between the sender and receiver, so you have to use an SSL client to talk to an SSL server. – Johnny Jul 31 '15 at 01:49

2 Answers2

24

HTTPS is HTTP over SSL. SSL first connects to the host, so the host name and port number are transferred as clear text. When the host responds and the challenge succeeds, your client will encrypt the HTTP request. This is said, and by putting in mind how the communication between layers in the OSI model occurs:

enter image description here

As SSL acts in the Session layer (5) and HTTP on the Application layer (7), SSL encrypts HTTP request (including the HTTP headers themselves), and since the HTTP request format (simplified) looks like follows:

enter image description here

You can conclude that you are referring to the same notion expressed differently.

Community
  • 1
  • 5
    I really wanted to upvote you - except for the OSI model part. SSL is definitely NOT on OSI layer 5, since SSL has nothing to do with the OSI model, it lives in TCP/IP. OSI model is irrelevant ;-) – AviD Jul 30 '15 at 11:44
  • 1
    @AviD it acts on the fifth layer of the OSI model like TLS too :) –  Jul 30 '15 at 11:46
  • 1
    `In the Internet Protocol Suite, TLS and SSL encrypt the data of network connections in the application layer. In OSI model equivalences, TLS/SSL is initialized at layer 5 (session layer) and works at layer 6 (the presentation layer).` https://en.wikipedia.org/wiki/Transport_Layer_Security – Scott Jul 30 '15 at 12:56
  • 1
    @begueradj That's a great picture of OSI. Can you site where it came from, or the article associated with it? I'm interested in reading the article if there is one. – dylan7 Jul 30 '15 at 19:17
  • begueradj, SSL doesn't act on ANY layer of the OSI model, and neither does TLS - **because they do not use the OSI model**. Despite the misleading comment from Wikipedia that @Scott posted. – AviD Jul 31 '15 at 09:45
  • http://security.stackexchange.com/questions/19681/where-does-ssl-encryption-take-place @AviD –  Jul 31 '15 at 09:51
  • `It has been pointed out (see comments) that the OSI model is an over-generalisation and does not fit very well here. This is true. However, the use of this model is to demonstrate that SSL sits "somewhere" in between TCP and HTTP. It is not strictly accurate, and is a vague abstraction of reality.` – AviD Jul 31 '15 at 09:52
  • @AviD yes on that you are right. And OSI layers are just a theoretical description to help understanding how Internet *works* as you know. –  Jul 31 '15 at 09:55
  • 2
    @begueradj I absolutely agree with you on that, except that usually it doesn't *help* but hinders. That's why I said your first 3 sentences are great, the rest is misleading and confusing (besides being technically wrong...) – AviD Jul 31 '15 at 09:57
  • @AviD I will be honored if you correct anything that could be vague or misleading. Kind regards –  Jul 31 '15 at 10:01
  • Why do you have a `Date:` and a `From:` header in a http request? – Hagen von Eitzen Jul 31 '15 at 12:34
10

HTTPS is just HTTP going over SSL - the HTTPS just signifies to the browser (or other network stack) that the HTTP protocol needs to be tunneled over an SSL channel. There is nothing else "special" about HTTPS...

Well, except the CONNECT method.
To be specific, the CONNECT method is not anything special in HTTPS, it is part of the HTTP spec. This method supports tunneling an SSL channel through an HTTP proxy. Without it, there would be no way to initiate a secure channel between the browser and the webserver, without the proxy being able to view and tamper with the connection. CONNECT enables the SSL handshake via the proxy.

But, if you are not using a proxy between your device and the server, then there should be no practical difference.

AviD
  • 72,708
  • 22
  • 137
  • 218
  • Maybe add that HTTPS usually runs on port 443? – inf Jul 30 '15 at 12:50
  • The CONNECT method isn't even part of HTTPS, it's part of HTTP proxying. – user253751 Jul 31 '15 at 06:25
  • @immibis yes, that is what I meant when I said "the CONNECT method is not anything special in HTTPS, it is part of the HTTP spec." Did I miss anything there? – AviD Jul 31 '15 at 09:32