Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info



S-HTTP (Secure Hypertext Transfer Protocol)

Related Entries    Web Links    New/Updated Information

Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

The native protocol that World Wide Web clients and servers use to communicate is HTTP (Hypertext Transfer Protocol). HTTP is ideal for open communications, but it does not provide authentication and encryption features. S-HTTP was developed to work in conjunction with HTTP to enable clients and servers to engage in private and secure transactions. S-HTTP is especially useful for encrypting forms-based information as it passes between clients and servers.

However, S-HTTP was never fully accepted by Web browser vendors such as Microsoft and Netscape. Instead, a similar protocol called SSL (Secure Sockets Layer) became more popular. SSL provides the same authentication and encryption functionality, but SSL has the added feature of being able to encrypt all data being passed between client and server, including data at the IP level. S-HTTP only encrypts HTTP-level messages.

Still, S-HTTP is supported by a number of products. It supports a variety of cryptographic algorithms and modes of operation. Messages may be protected by using digital signatures, authentication, and encryption. Upon first contact, the sender and receiver establish preferences for encrypting and handling secure messages.

A number of encryption algorithms and security techniques can be used, including DES and RC2 encryption, or RSA public-key signing. In addition, users can choose to use a particular type of certificate, or no certificate at all. In cases in which public-key certificates are not available, it is possible for a sender and receiver to use a session key that they have exchanged in advance. A challenge/response mechanism is also available (see "CHAP (Challenge Handshake Authentication Protocol)").

The IETF (Internet Engineering Task Force) Web Transaction Security (wts) Working Group is in charge of developing S-HTTP. The Web site is listed on the related entries page. Relevant RFCs are listed here:

  • RFC 2084 (Consideration for Web Transaction Security, January 1997)

  • RFC 2616 (HyperText Transfer Protocol-HTTP/1.1, June 1999)

  • RFC 2659 (Security Extensions For HTML, August 1999)

  • RFC 2660 (The Secure HyperText Transfer Protocol, August 1999)

  • RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication, June 1999)

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.