HTTP and HTTPS Overview

icon_info.gif

If you specify HTTP for a Site created using the "strict security settings" option, EFT Server prompts you to disable these insecure protocols, or continue with reason.

HTTP

HTTP is the communication protocol for establishing a connection with a Web server and transmitting HTML pages to the client browser or any other files required by an HTTP client application.  

HTTP is often referred to as a "stateless" protocol. The connection is maintained between client and server only for the immediate request, after which the connection is subsequently closed. Each time you need something from EFT Server, your client (browser) makes a connection, gets that file, and then the connection is closed. Since you do not connect and stay connected, the browser remembers your username and password for you, so it can send the authentication hash along with every new connection request.

For example, when you type http://www.globalscape.com/eft/whatsnew.aspx in your browser's address bar and press ENTER, your browser uses HTTP as specified in the URL to send a command to EFT Server running at the host name www.globalscape.com with the HTTP command "GET /eft/whatsnew.aspx HTTP/1.1," and EFT Server replies with that file (the HTML that makes up the page). In that page, there are references to a number of files (e.g., images, CSS documents, flash files), and your browser makes a separate connection to get each one of those resources.

How does HTTP support in EFT Server differ from a typical Web Server?

EFT Server is primarily a file transfer server, not a Web server. This means it is not meant to "serve up" Web pages such as a typical Web server does for connecting HTTP clients (such as your Web browser). However, there are provisions for transferring files in the HTTP protocol, which is a convenience when a connecting partner, customer, or employee does not have an FTP client installed, but does have an HTTP client or access to a Web page with HTTP PUT capabilities (usually an ActiveX control or Java applet).

When EFT Server is configured to allow HTTP file transfers, any HTTP client will be able to PUT (upload) or GET (download) files to EFT Server, provided the client supports both of these HTTP commands. Most Web browsers only support the GET command or, if they support the PUT command, they provide no interface for browsing to the user's local file system to select and upload (PUT) files onto EFT Server. A few dedicated clients (such as CuteFTP Professional) and various thin clients (based on ActiveX controls or Java applets) support both PUT and GET capabilities, allowing these clients to transfer files to EFT Server in both directions.

For details of WebDAV and EFT Server, refer to Using WebDAV with EFT Server.

HTTP Limitations in EFT Server
HTTPS

HTTPS is the protocol for accessing a secure Web server when authentication and encrypted communication is possible. Using HTTPS in the URL instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. The default TCP/IP port of HTTPS is 443. The session is then managed by a security protocol. HTTPS encrypts the session data using the SSL (Secure Socket Layer) protocol ensuring reasonable protection from eavesdroppers and man-in-the-middle attacks.

Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection from a client to a server with SSL capabilities. EFT Server is responsible for sending the client a certificate and a public key for encryption. If the client trusts EFT Server's certificate, an SSL connection can be established. All data passing from one side to the other will be encrypted. Only the client and EFT Server will be able to decrypt the data. The SSL protocol is the same protocol used in FTPS.

The following elements work together to establish a secure HTTPS connection:

Client: The client must have SSL capabilities.

Certificate: Certificates are digital identification documents that allow both servers and clients to authenticate each other. A certificate file has a .crt extension. Server certificates contain information about your company and the organization that issued the certificate (such as Verisign or Thawte) while client certificates contain information about the user and the organization that signed the certificate. You can choose to either trust or distrust a certificate. In some cases, the client's certificate must be signed by EFT Server's certificate to establish an SSL connection.

Session Key: The client and EFT Server use the session key to encrypt data. It is created by the client via EFT Server’s public key.

Public Key: The client encrypts a session key with EFT Server’s public key. It does not exist as a file, but is produced when a certificate and private key are created.

Private Key: EFT Server's private key decrypts the client's session. The private key has a .key extension and is part of the public-private key pair.

Certificate Signing Request: A Certificate Signing Request (CSR) is a PKCS10 request, which is an unsigned copy of your certificate. A certificate signing request is generated each time a certificate is created. A certificate signing request has a .csr extension. This file is used when you need to have your certificate signed. Once the Certificate Signing Request file is signed, a new certificate is made and can be used to replace the unsigned certificate.

icon_info.gif

In Web pages that use HTTPS, the URL begins with https rather than http. HTTP clients should connect using standard requests (i.e., https://domain_name). You can configure EFT Server to provide connecting clients with a certificate, and can require that the client provide a certificate upon connection (to validate the client's identity further).