http & smtp

8/8/2019 HTTP & SMTP

1/23

HTTP & SMTP


2/23

HTTP HYPERTEXT TRANSFER PROTOCOL

Is anApplication Layer protocol for distributed, collaborative, and

hypermedia information systems.

Has request-response standard typical to client-server computing.

The web browser (e.g. IE, FF) acts as the client while an application

running on the host computer acts as the server (e.g. IIS and Apache).

The client(user agent) submits HTTP requests. The responding

server(origin server) responds to the requests accordingly.

Between the User Agent and Origin Server we have manyintermediaries such as proxies, gateways, and tunnels.


3/23

ILLUSTRATION


4/23

DEPENDENCY,CONSTRAINTS, IMPLEMENTATION

HTTP is not constrained in principle to be built on top of

TCP/IP.

HTTP can be built on top of any protocol on the internet or

other networks.

HTTP presumes a reliable transport any protocol that

provides such guarantees can be used.

Resources to be accessed and identified by URIs

and URLs using a certain URI scheme e.g. HTTP, or

HTTPS


5/23

HISTORY& SITUATION

Its use for retrieving inter-linked resources,

called hypertext documents(HTML Web Pages), led to the

establishment of the World Wide Web in 1990.

Original, designated as HTTP/1.0, was revised in HTTP/1.1

HTTP/1.0 Separate connection to the same server forevery document.

HTTP/1.1 Can reuse the same connection to download

more than one file or resource for the just served page.

Making it much more efficient and faster.

Standards development of HTTP has been coordinated bythe World Wide Web Consortium and the Internet

Engineering Task Force (IETF).

Today and since June1999 HTTP/1.1 is the standard.


6/23

THE HTTP SESSION

Sequence ofNetworkResponse Transactions.

HTTP client establishes TCP connection to a

hosts port (e.g. port 80) HTTP server working

on a certain port waits for a request. Uponreceiving a request, the server sends back to the

client:

1. Status Line e.g. HTTP/1.1 200 OK

2.

Message of its own.3. Body of requested resource.

4. Error message and some other information.


7/23

THE REQUEST MESSAGE

Consists of The following:

Request Line e.g. GET /images/logo.png HTTP/1.1

Headers e.g. AcceptLanguage: en

An Empty Line Optional Message Body

Note:Request Line and Headers must end with

(carriage return), an empty line contains

only.


8/23

THE REQUEST METHODS

HTTP Defines 8 methods(Verbs) indicating the desired

actions to be performed on the identified resource. The

resource can correspond to a file or an executable on the

server.

HEAD:Asks for a response, but without the response body.This is useful for retrieving meta-information written in

response headers, without having to transport the entire

content.

GET: Requests a representation of the specified resource.

POST: Submits data to be processed (e.g., from an HTMLform) to the identified resource.Data is included in the

body of the request. Results in the creation of a new

resource or an update of existing resources or both.


9/23

THE REQUEST METHODS(CONTINUED)

PUT: Uploads a representation of the specified resource.

DELETE:Deletes the specified resource.

TRACE: Echoes back the received request, so that a client

can see what intermediate servers are adding or changing

in the request.

OPTIONS: Returns the HTTP methods that the serversupports for specified URL ( Used to check the functionality

of the web server).

CONNECT: Converts the request connection to a

transparent TCP/IP tunnel (To facilitate SSL-encrypted

communication (HTTPS) through an unencrypted

HTTP proxy).

PATCH: Is used to apply partial modifications to a

resource.

Remark: HTTP servers are required to implement at

least the GET and HEADmethods


10/23

SAFE VS. UNSAFE METHODS

Safe Methods: They are intended only for information

retrieval and should not change the state of the server i.e.

Should not have side effects on the server beyond logging,

caching and incrementing web counters. Examples: HEAD,

GET, OPTIONS and TRACE.

Unsafe Methods:Are intended for actions which may cause

side effects(non-trivial changes on the server) either on the

server, or external side effects such as financial

transactions or transmission of email. Such methods aretherefore not usually used by web robots, that tend to make

requests without regard to context or consequences.

Examples: POST, PUT and DELETE.


11/23

HTTP STATUS CODES

The first line of the HTTP response is called the status

line and includes a numeric status code (such as "404") and

a textual reason phrase (such as "Not Found").

The way the user agent handles the response primarilydepends on the code and secondarily on the response

headers.

If the user agent encounters a code it does not recognize, it

can use the first digit of the code to determine the generalclass of the response as each response code belongs to a

class.


12/23

HTTP STATUS CODES (CONTINUED)


13/23

HTTP SESSION STATE

HTTP is a stateless protocol.

An advantage is that hosts do not need to retain

information about users between requests.

For example, when a host needs to customize the content of

a website for a user, the web application must be written totrack the user's progress from page to page. A common

method for solving this problem involves sending and

receiving cookies.

Other methods include server side sessions, hidden

variables and URL encoded parameters (suchas /index.php?session_id=some_unique_session_code)


14/23

REQUEST & RESPONSE EXAMPLE


15/23

LIVE HTTP REQUEST/RESPONSE TEST

http://www.rexswain.com/httpview.html

http://web-sniffer.net/


16/23

SMTP SIMPLE MAIL TRANSFER PROTOCOL

Contents:

Introduction

SMTP operation

Problems with SMTP

Security considerations in SMTP


17/23

INTRODUCTION

Simple Mail TransferProtocol is the standard e-mail protocol on the

Internet and part of the TCP/IP protocol suite.

It is basically a server that receives your e-mails and sends them to

their destinations.

SMTP was originally designed for only plain text (ASCII text), butMultipurpose Internet Mail Extensions (MIME) and other encoding

methods enable executable programs and multimedia files to be

attached to and transported with the e-mail message.

SMTP is a relatively simple, text-based protocol, where one or more

recipients of a message are specified and then the message text istransferred. SMTP uses TCP port 25.


18/23

OPERATION

When an SMTP client has a message to transmit, it establishes a

two- way transmission channel to an SMTP server. The

responsibility of an SMTP client is to transfer mail messages to one

or more SMTP servers.

Once the transmission channel is established and initial handshaking

completed, the SMTP client normally initiates a mail transaction.

Such a transaction consists of a series of commands to specify the

originator and destination of the mail and transmission of the

message content (including any headers or other structure) itself.


19/23

OPERATION(CONTINUED)

The server responds to each command with a reply; replies may

indicate that the command was accepted, that additional commands

are expected, or that a temporary or permanent error condition

exists.

Once a given mail message has been transmitted, the client may

either request that the connection be shut down or may initiate other

mail transactions.


20/23

BASIC COMMANDS

SMTP defines a small required command set, with several

optional commands included for convenience purposes. The

minimal set required for an SMTP sending client are:

HELO - Initial State Identification MAIL- Mail Sender Reverse Path

RCPT - One Recipients Forward Path

DATA - Mail Message Text State

RSET - Abort Transaction and Reset all buffers

NOOP - No Operation QUIT- Commit Message and Close Channel


21/23

PROBLEMS WITH SIMPLE SMTP

The first one relates to message length. Some older implementations

couldnt handle messages exceeding 64KB.

Another problem relates to timeouts. If the Client and server have

different timeouts, one of them may give up while the other is stillbusy, unexpectedly terminating the connection.

Infinite mail storms can be triggered. For example, If host 1 holds

mailing list A and host 2 holds mailing list B and each list contains

an entry for the other one, then a message sent to either list couldgenerate a never ending amount of email traffic unless somebody

checks for it.


22/23

EXTENSIONS

The following are the extensions to SMTP protocol (RFC 821):-

RFC 2920:-

SMTP extension to improve SMTP performance by

bundling multiple commands within a TCP sendoperation.

RFC 3030:-

This provides two extensions to the SMTP protocolfor the transfer of large and binary MIME messages.

RFC 2487:-

SMTP extension for transport-layer security duringsessions. This adds some security to email while intransit.


23/23

SECURITY AND SPAMMING

One of the limitations of the original SMTP is that it has no facility

for authentication of senders. Therefore the SMTP-AUTHextension

was defined. In spite of this, E-mail spamming is still a major

problem. Modifying SMTP extensively, or replacing it completely, is

not believed to be practical, due to the network effects of the hugeinstalled base of SMTP.INTERNET MAIL 2000 is one such proposal

for replacement.

SMTP mail is inherently insecure in that it is feasible for even fairly

casual users to negotiate directly with receiving and relaying SMTPservers and create messages that will trick a naive recipient into

believing that they came from somewhere else.

http & smtp

Documents