cmsc 426 final lecture 7

What does HTTP stand for and what is its purpose?

Hypertext Transfer Protocol

It is an application-layer protocol used for transmitting HTML documents and other web resources.

How does HTTP follow the client-server model?

The client (usually a browser) always initiates the connection to request data from the server.

What are the main steps in an HTTP connection?

1. Establish TCP connection

2. Client sends HTTP request

3. Server sends HTTP response

4. TCP connection is closed or reused.

What is a user-agent in HTTP?

Any tool that sends HTTP requests on behalf of the client, e.g., browsers, web crawlers, debug tools.

What are the responsibilities of a browser as a user-agent?

• Send HTTP requests

• Parse HTML

• Display CSS, images, and videos

• Run scripts and dynamic content.

What is an HTTP server?

server that serves HTML documents or resources requested by a client. Servers are stateless and don’t retain info between requests.

Name common HTTP headers and their purpose.

• Host: Domain name of the server

• User-Agent: Browser and OS version

• Accept-Language: Client language preference

• Content-Type: MIME type of the document

• Content-Length: Size of data

• Set-Cookie: Sends cookies to browser.

What are the main HTTP methods and their uses?

• GET: Retrieve data from server (parameters in URL)

• POST: Send data to server (e.g., form submissions).

What is a cookie in HTTP?

Small data pieces stored by browsers to maintain stateful information such as login status or shopping cart contents.

What does SSL/TLS provide?

Secure communications over a network (used in HTTPS, email, VoIP).

What is the difference between SSL and TLS?

• SSL 2.0 (1995) deprecated in 2011

• SSL 3.0 (1996) deprecated in 2015

• TLS is the successor; current version is TLS 1.3 (2018, RFC 8446).

What happens in the Client Hello step of TLS 1.3?

• Client proposes connection

• Sends supported cipher suites

• Includes 32-byte Client Random value

• Sends key share info for key exchange.

What is a cipher suite in TLS?

A set of cryptographic algorithms including key exchange, encryption, digital signatures, and hashing.

What is the purpose of the Client Key Share?

It allows the server to immediately proceed with key generation, saving a round-trip communication.

Describe the Server Hello step of TLS 1.3.

• Server selects cipher suite

• Generates Server Random value

• Generates symmetric Master Secret

• Sends digital certificate (X.509) and signed handshake info

• All encrypted with symmetric key.

What does the client do after receiving Server Hello?

• Generates same symmetric Master Secret

• Decrypts Server Hello contents

• Verifies server’s digital signature

• Sends a “Finished” message.

What is OpenSSL?

Most common implementation of SSL/TLS; also includes other cryptographic tools. Used to generate X.509 certificates.

Which OpenSSL versions were affected by Heartbleed?

Versions 1.0.1 – 1.0.1f.

When was Heartbleed added and disclosed?

Added in 2012, disclosed in 2014 (CVE-2014-0160).

What was the vulnerability in Heartbleed?

OpenSSL failed to verify if the payload size matched the actual data size, allowing attackers to read up to 64 KB of random memory (potentially sensitive data).

What is the purpose of the Heartbeat extension?

Keeps TLS sessions alive without data transfer; checks if the server is online.

Why was Heartbleed so dangerous?

• Easy to exploit

• Leaves no logs/evidence

• Could leak SSL private keys, credentials, and session cookies

• Allowed repeated exploitation.