Establishing TLS over an existing HTTP connection
E835150
Establishing TLS over an existing HTTP connection is a technique that upgrades a plain HTTP session to a secure, encrypted TLS channel without creating a new TCP connection.
Statements (48)
| Predicate | Object |
|---|---|
| instanceOf |
network protocol technique
ⓘ
security protocol upgrade mechanism ⓘ |
| affectedBy |
HTTP intermediaries and proxies
ⓘ
load balancers ⓘ middleboxes that inspect HTTP ⓘ |
| avoids | creating new TCP connection ⓘ |
| canBeUsedFor |
incremental security deployment
ⓘ
tunneling secure traffic through intermediaries ⓘ upgrading legacy HTTP services ⓘ |
| canImprove |
latency for protocol negotiation
ⓘ
performance by avoiding extra TCP handshake ⓘ |
| canUseMechanism |
HTTP Upgrade: TLS/1.0 header
ⓘ
HTTP Upgrade: TLS/1.2 header ⓘ HTTP Upgrade: h2c to h2 over TLS ⓘ |
| contrastsWith |
starting TLS at the beginning of TCP connection
ⓘ
using separate port for HTTPS ⓘ |
| hasChallenge |
compatibility with existing proxies
ⓘ
limited support in common HTTP clients ⓘ limited support in common HTTP servers ⓘ |
| hasGoal |
provide authentication
ⓘ
provide confidentiality ⓘ provide integrity ⓘ upgrade plain HTTP to encrypted channel ⓘ |
| hasProperty |
in-band negotiation
ⓘ
no change of client IP or port ⓘ no change of server IP or port ⓘ session continuity at application level ⓘ |
| hasSecurityConsideration |
downgrade attack risk if negotiation is not authenticated
ⓘ
need to validate TLS certificates after upgrade ⓘ plaintext data sent before upgrade remains unprotected ⓘ |
| isConceptuallySimilarTo |
STARTTLS in IMAP
NERFINISHED
ⓘ
STARTTLS in POP3 NERFINISHED ⓘ STARTTLS in SMTP NERFINISHED ⓘ |
| isPartOf | secure web communication techniques ⓘ |
| mayBeSpecifiedIn | experimental or proprietary HTTP extensions ⓘ |
| mayRequire |
HTTP 101 Switching Protocols response
ⓘ
HTTP 200 response before TLS negotiation in some designs ⓘ |
| operatesOnLayer | application layer ⓘ |
| relatedTo |
HTTP CONNECT method
NERFINISHED
ⓘ
HTTP Upgrade header ⓘ HTTP/2 prior knowledge upgrade ⓘ STARTTLS NERFINISHED ⓘ WebSocket protocol upgrade ⓘ |
| requires |
client support
ⓘ
server support ⓘ |
| reuses | existing TCP connection ⓘ |
| usesProtocol |
Hypertext Transfer Protocol
NERFINISHED
ⓘ
Transport Layer Security NERFINISHED ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.