S-HTTP (Secure Hypertext Transfer Protocol) for security enhancement
The native protocol that World Wide Web clients and servers use to communicate is HTTP (Hypertext Transfer Protocol). HTTP is ideal for open communications, but it does not provide authentication and encryption features. S-HTTP was developed to work in conjunction with HTTP to enable clients and servers to engage in private and secure transactions. S-HTTP is especially useful for encrypting forms-based information as it passes between clients and servers.
However, S-HTTP was never fully accepted by Web browser vendors such as Microsoft and Netscape. Instead, a similar protocol called SSL (Secure Sockets Layer) became more popular. SSL provides the same authentication and encryption functionality, but SSL has the added feature of being able to encrypt all data being passed between client and server, including data at the IP level. S-HTTP only encrypts HTTP-level messages.
Still, S-HTTP is supported by a number of products. It supports a variety of cryptographic algorithms and modes of operation. Messages may be protected by using digital signatures, authentication, and encryption. Upon first contact, the sender and receiver establish preferences for encrypting and handling secure messages.
A number of encryption algorithms and security techniques can be used, including DES and RC2 encryption, or RSA public-key signing. In addition, users can choose to use a particular type of certificate, or no certificate at all. In cases in which public-key certificates are not available, it is possible for a sender and receiver to use a session key that they have exchanged in advance. A challenge/response mechanism is also available.
The IETF (Internet Engineering Task Force) Web Transaction Security (wts) Working Group is in charge of developing S-HTTP. The Web site is listed on the related entries page. Relevant RFCs are listed here:
RFC 2084 (Consideration for Web Transaction Security, January 1997)
RFC 2616 (HyperText Transfer Protocol-HTTP/1.1, June 1999)
RFC 2659 (Security Extensions For HTML, August 1999)
RFC 2660 (The Secure HyperText Transfer Protocol, August 1999)
RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication, June 1999)