HTTP and HTTPS Overview

If you specify HTTP for a Site created using the "strict security settings" option, EFT prompts you to disable insecure protocols, or continue with reason.

HTTP

HTTP is the communication protocol for establishing a connection with a Web server and transmitting HTML pages to the client browser or any other files required by an HTTP client application.  

HTTP is often referred to as a "stateless" protocol. The connection is maintained between client and server only for the immediate request, after which the connection is subsequently closed. Each time you need something from EFT, your client (browser) makes a connection, gets that file, and then the connection is closed. Since you do not connect and stay connected, the browser remembers your username and password for you, so it can send the authentication hash along with every new connection request.

For example, when you type http://www.globalscape.com/admin/whatsnew.aspx in your browser's address bar and press ENTER, your browser uses HTTP as specified in the URL to send a command to EFT running at the host name www.globalscape.com with the HTTP command "GET /admin/whatsnew.aspx HTTP/1.1," and EFT replies with that file (the HTML that makes up the page). In that page, there are references to a number of files (for example, images, CSS documents, flash files), and your browser makes a separate connection to get each one of those resources.

How does HTTP support in EFT differ from a typical Web Server?

EFT is primarily a file transfer server, not a Web server. This means it is not meant to "serve up" Web pages such as a typical Web server does for connecting HTTP clients (such as your Web browser). However, there are provisions for transferring files in the HTTP protocol, which is a convenience when a connecting partner, customer, or employee does not have an FTP client installed, but does have an HTTP client or access to a Web page with HTTP PUT capabilities (usually an ActiveX control or Java applet).

When EFT is configured to allow HTTP file transfers, any HTTP client will be able to PUT (upload) or GET (download) files to EFT, provided the client supports both of these HTTP commands. Most Web browsers only support the GET command or, if they support the PUT command, they provide no interface for browsing to the user's local file system to select and upload (PUT) files onto EFT. A few dedicated clients (such as CuteFTP) and various thin clients (based on ActiveX controls or Java applets) support both PUT and GET capabilities, allowing these clients to transfer files to EFT in both directions.

For details of WebDAV and EFT, refer to Using WebDAV with EFT.

HTTP Limitations in EFT

  • EFT allows you to customize messages sent by EFT upon connection, login, maximum connections reached, and disconnect (for FTP sessions). Due to the nature of the HTTP protocol, custom login messages are not displayed for connecting HTTP clients.

  • Another limitation of HTTP is that after a connection is established, the browser sees EFT's root folder instead of the user's home holder. A workaround is to setup a distinct Site for HTTP sessions.

  • Microsoft Internet Explorer browsers that have installed MS04-004 Cumulative Security Update for Internet Explorer (832894), no longer support URLs that contain username info, even though they are properly formed URLs. This problem is unique to Internet Explorer, and does not affect the other major browsers. For more information, refer to http://www.microsoft.com/technet/security/Bulletin/MS04-004.asp.

  • If you create an Event Rule that sends a notification email for each successful login Event, an email is sent every time a user connected through HTTP changes directories. This is a result of HTTP being a stateless protocol and can result in a large volume of notification emails even when performing typical directory browsing.

HTTPS

HTTPS is the protocol for accessing a secure Web server when authentication and encrypted communication is possible. Using HTTPS in the URL instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. The default TCP/IP port of HTTPS is 443. The session is then managed by a security protocol. HTTPS encrypts the session data using the SSL (Secure Socket Layer) protocol ensuring reasonable protection from eavesdroppers and man-in-the-middle attacks.

Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection from a client to a server with SSL capabilities. EFT is responsible for sending the client a certificate and a public key for encryption. If the client trusts EFT's certificate, an SSL connection can be established. All data passing from one side to the other will be encrypted. Only the client and EFT will be able to decrypt the data. The SSL protocol is the same protocol used in FTPS.

The following elements work together to establish a secure HTTPS connection:

  • Client: The client must have SSL capabilities.

  • Certificate: Certificates are digital identification documents that allow both servers and clients to authenticate each other. A certificate file has a .crt extension. Server certificates contain information about your company and the organization that issued the certificate (such as Verisign or Thawte) while client certificates contain information about the user and the organization that signed the certificate. You can choose to either trust or distrust a certificate. In some cases, the client's certificate must be signed by EFT's certificate to establish an SSL connection.

  • Session Key: The client and EFT use the session key to encrypt data. It is created by the client via EFT’s public key.

  • Public Key: The client encrypts a session key with EFT’s public key. It does not exist as a file, but is produced when a certificate and private key are created.

  • Private Key: EFT's private key decrypts the client's session. The private key has a .key extension and is part of the public-private key pair.

  • Certificate Signing Request: A Certificate Signing Request (CSR) is a PKCS10 request, which is an unsigned copy of your certificate. A certificate signing request is generated each time a certificate is created. A certificate signing request has a .csr extension. This file is used when you need to have your certificate signed. Once the Certificate Signing Request file is signed, a new certificate is made and can be used to replace the unsigned certificate.

In Web pages that use HTTPS, the URL begins with https rather than http. HTTP clients should connect using standard requests (that is, https://domain_name). You can configure EFT to provide connecting clients with a certificate, and can require that the client provide a certificate upon connection (to validate the client's identity further).