Web Applications - your transport awaits

So how does the majority of your electronic commounication get moved across the internet? Well the vast majority uses something called HTTP which you have almost certainly heard of.

HTTP is the transport used by your web requests and is actually an extremely simple protocol used to deliver HTML pages. Unfortunately it's not exactly what you could call secure but is primarily designed for lightness and speed - you can read about it in more depth in the RFC Here.

One of the main problems inn trying too keep our data and identity secure using HTTP is the simple problem that it is primarily an ASCII based protocol which operates in clear text.

It is almost brilliantly simple and fast and only operates at a very basic level of request and respond. HTTP is a mechanism, a way to request a resource from a web server (GET request) and a response will be delivered and the resource if possible.

Here's an example of such a request

GET /index.htm HTTP/1.0

Not exactly difficult stuff and the worrying fact is there's no cryptic language to understand and no need to decipher any of the data that passes to and from your web browser and the web server.

One of the most revealing things you can do to illustrate how insecure the HTTP protocol is for delivering and receiving data is to connect up to a wireless cafe, hotel access point and then fire up a free sniffer program like wireshark (although I still use ethereal!) and look at the data that is flying about in the clear.

Same goes for wireless connections - I still can't quite look at one of my neigbours in the same way when I saw some of the web sites he visits flying passed my sniffer ;)

There are loads of reasons why HTTP is such an insecure protocol such as it operating over the same well known TCP ports but we should also remember how staggeringly efficient and effective it is as a delivery mechanism. It certainly done a damn fine job sharing data over the internet but perhaps in some cases a little too good !