The Hypertext Transfer Protocol (HTTP) is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web HP 448007-001 battery .
The standards development of HTTP has been coordinated by the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C), culminating in the publication of a series of Requests for Comments (RFCs) HP Pavilion DV7 battery ,
most notably RFC 2616 (June 1999), which defines HTTP/1.1, the version of HTTP in common use.
HTTP functions as a request-response protocol in the client-server computing model HP DV6-1120SA battery .
In HTTP, a web browser, for example, acts as a client, while an application running on a computer hosting a web site functions as a server. The client submits an HTTP requestmessage to the server. The server, which stores content, or provides resources, such as HTML files, or performs other functions on behalf of the client, returns a response message to the client HP DV6-1210SA battery .
A response contains completion status information about the request and may contain any content requested by the client in its message body.
A client is often referred to as a user agent (UA). A web browser, or web crawler (spider, used by search providers) are examples of common types of clients or user agents Compaq CQ50 battery .
The HTTP protocol is designed to permit intermediate network elements to improve or enable communications between clients and servers. High-traffic websites often benefit from web cache servers that deliver content on behalf of the original, so-called origin server to improve response time HP Pavilion DV8 battery .
HTTP proxy servers at network boundaries facilitate communication when clients without a globally routable address are located in private networks by relaying the requests and responses between clients and servers Sony VGP-BPS13 battery .
HTTP is an Application Layer protocol designed within the framework of the Internet Protocol Suite. The protocol definitions presume a reliable Transport Layerprotocol for host-to-host data transfer. The Transmission Control Protocol (TCP) is the dominant protocol in use for this purpose HP DV9700 battery .
However, HTTP has found application even with unreliable protocols, such as the User Datagram Protocol (UDP) in methods such as the Simple Service Discovery Protocol (SSDP).
HTTP Resources are identified and located on the network by Uniform Resource Identifiers (URIs)—or, more specifically, Uniform Resource Locators (URLs)—using the http or https URI schemes Compaq CQ35-100 battery .
URIs and the Hypertext Markup Language (HTML), form a system of inter-linked resources, called hypertext documents, on the Internet, that led to the establishment of the World Wide Web in 1990 by English physicist Tim Berners-Lee Sony VGP-BPS11 battery .
The original version of HTTP (HTTP/1.0) was revised in HTTP/1.1. HTTP/1.0 uses a separate connection to the same server for every request-response transaction, while HTTP/1.1 can reuse a connection multiple times, to download, for instance, images for a just delivered page HP Pavilion DV6-1223EO Battery .
Hence HTTP/1.1 communications experience less latency as the establishment of TCP connections presents considerable overhead.
The term HyperText was coined by Ted Nelson who in turn was inspired by Vannevar Bush's microfilm-based "memex" Sony Vaio VGN-CR190E/L Battery .
Tim Berners-Lee first proposed the "WorldWideWeb" project — now known as the World Wide Web. Berners-Lee and his team are credited with inventing the original HTTP protocol along with the HTML and the associated technology for a web server and a text-based web browser Sony VGN-CR11M Battery .
The first version of the protocol had only one method, namely GET, which would request a page from a server. The response from the server was always an HTML page.
The first documented version of HTTP was HTTP V0.9 (1991) Sony VGN-NR11Z Battery .
Dave Raggett led the HTTP Working Group (HTTP WG) in 1995 and wanted to expand the protocol extended operations, extended negotiation, richer meta-information, tied with a security protocol and got more efficient by adding additional methods and header fields. RFC 1945 officially introduced and recognized HTTP V1.0 in 1996. Sony VGN-NR11S Battery
The HTTP WG planned to publish new standards in December 1995 and the support for pre-standard HTTP/1.1 based on the then developing RFC 2068 (called HTTP-NG) was rapidly adopted by the major browser developers in early 1996. By March 1996, pre-standard HTTP/1.1 was supported in Arena, Netscape 2.0, Netscape Navigator Gold 2.01, Mosaic 2.7, Lynx 2.5 , and in Internet Explorer 3.0 Sony VGN-NR110E Battery .
End user adoption of the new browsers was rapid. In March 1996, one web hosting company reported that over 40% of browsers in use on the Internet were HTTP 1.1 compliant. That same web hosting company reported that by June 1996, 65% of all browsers accessing their servers were HTTP/1.1 compliant Sony VGN-NR110E/T Battery
The HTTP/1.1 standard as defined in RFC 2068 was officially released in January 1997. Improvements and updates to the HTTP/1.1 standard were released under RFC 2616 in June 1999.
An HTTP session is a sequence of network request-response transactions Sony VGN-NR110E/S Battery .
An HTTP client initiates a request. It establishes a Transmission Control Protocol (TCP) connection to a particular port on a host (typically port 80; see List of TCP and UDP port numbers). An HTTP server listening on that port waits for a client's request messageSony VGN-NR110E/W Battery .
Upon receiving the request, the server sends back a status line, such as "HTTP/1.1 200 OK", and a message of its own, the body of which is perhaps the requested resource, an error message, or some other information. Sony VGN-CR11SR Battery
The request message consists of the following:
- Request line, such as GET /images/logo.png HTTP/1.1, which requests a resource called /images/logo.png from server
- Headers, such as Accept-Language: en Sony VGN-CR11Z Battery
- An empty line
- An optional message body
The request line and headers must all end with <CR><LF> (that is, a carriage return followed by a line feed). The empty line must consist of only <CR><LF> and no other whitespace. In the HTTP/1.1 protocol, all headers except Host are optional. Sony VGN-CR11S Battery
A request line containing only the path name is accepted by servers to maintain compatibility with HTTP clients before the HTTP/1.0 specification in RFC1945.
HTTP defines nine methods (sometimes referred to as "verbs") indicating the desired action to be performed on the identified resource Sony VGN-CR11M Battery .
What this resource represents, whether pre-existing data or data that is generated dynamically, depends on the implementation of the server. Often, the resource corresponds to a file or the output of an executable residing on the server. Sony VGN-CR11E Battery
Asks for the response identical to the one that would correspond to a GET request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire content. Sony VGN-CR21E Battery
Requests a representation of the specified resource. Requests using GET (and a few other HTTP methods) "SHOULD NOT have the significance of taking an action other than retrieval". Sony VGN-CR21S Battery 
The W3C has published guidance principles on this distinction, saying, "Web application design should be informed by the above principles, but also by the relevant limitations." See safe methods below. Sony VGN-CR21Z Battery
Submits data to be processed (e.g., from an HTML form) to the identified resource. The data is included in the body of the request. This may result in the creation of a new resource or the updates of existing resources or both. Sony VGN-CR21SR Battery
Uploads a representation of the specified resource.
Deletes the specified resource.
Echoes back the received request, so that a client can see what (if any) changes or additions have been made by intermediate servers.Sony VGN-CR31SR Battery
Returns the HTTP methods that the server supports for specified URL. This can be used to check the functionality of a web server by requesting '*' instead of a specific resource. Sony VGN-CR31S Battery
Converts the request connection to a transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy.
Is used to apply partial modifications to a resource. Sony VGN-CR31E Battery
HTTP servers are required to implement at least the GET and HEAD methods and, whenever possible, also the OPTIONS method.
Some methods (for example, HEAD, GET, OPTIONS and TRACE) are defined as safe, which means they are intended only for information retrieval and should not change the state of the server Sony VGN-CR31Z Battery
In other words, they should not have side effects, beyond relatively harmless effects such as logging, caching, the serving of banner advertisements or incrementing a web counter. Making arbitrary GET requests without regard to the context of the application's state should therefore be considered safe. Sony VGN-CR41Z Battery
By contrast, methods such as POST, PUT and DELETE are intended for actions that may cause side effects either on the server, or external side effects such as financial transactions or transmission of email. Such methods are therefore not usually used by conforming web robots or web crawlers, which tend to make requests without regard to context or consequences Sony VGN-CR41S Battery .
Despite the prescribed safety of GET requests, in practice their handling by the server is not technically limited in any way. Therefore, careless or deliberate programming can cause non-trivial changes on the server. This is discouraged, because it can cause problems for Web caching, search engines and other automated agents, which can make unintended changes on the server. Sony VGN-CR41E Battery
Furthermore, methods such as TRACE, TRACK and DEBUG are considered potentially 'unsafe' by some security professionals, because they can be used by attackers to gather information or bypass security controls during attacks. Security software tools such as Tenable Nessus and Microsoft URLScan report on the presence of these methods as being security issues. Sony VGN-CR41SR Battery
Idempotent methods and web applications
Methods PUT and DELETE are defined to be idempotent, meaning that multiple identical requests should have the same effect as a single request. Methods GET, HEAD, OPTIONS and TRACE, being prescribed as safe, should also be idempotent, as HTTP is a stateless protocol.[1Sony VGN-CR42ZR Battery ]
In contrast, the POST method is not necessarily idempotent, and therefore sending an identical POST request multiple times may further affect state or cause further side effects (such as financial transactions). Sony VGN-CR42Z Battery
In some cases this may be desirable, but in other cases this could be due to an accident, such as when a user does not realize that their action will result in sending another request, or they did not receive adequate feedback that their first request was successful.Sony VGN-CR42S Battery
While web browsers may show alert dialog boxes to warn users in some cases where reloading a page may re-submit a POST request, it is generally up to the web application to handle cases where a POST request should not be submitted more than once. Sony VGN-CR42E Battery
Note that whether a method is idempotent is not enforced by the protocol or web server. It is perfectly possible to write a web application in which (for example) a database insert or other non-idempotent action is triggered by a GET or other request. Ignoring this recommendation, however, may result in undesirable consequences, if a user agent assumes that repeating the same request is safe when it isn'tSony Vaio VGN-CR11S/L Battery .
In HTTP/1.0 and since, the first line of the HTTP response is called the status line and includes a numeric status code (such as "404") and a textual reason phrase (such as "Not Found"). The way theuser agent handles the response primarily depends on the code and secondarily on the response headersSony Vaio VGN-CR190E/P Battery .
Custom status codes can be used since, if the user agent encounters a code it does not recognize, it can use the first digit of the code to determine the general class of the response.
Also, the standard reason phrases are only recommendations and can be replaced with "local equivalents" at the web developer's discretion Sony Vaio VGN-CR190E/R Battery .
If the status code indicated a problem, the user agent might display the reason phrase to the user to provide further information about the nature of the problem. The standard also allows the user agent to attempt to interpret the reason phrase, though this might be unwise since the standard explicitly specifies that status codes are machine-readable and reason phrases are human-readable.Sony Vaio VGN-CR190E/W Battery
In HTTP/0.9 and 1.0, the connection is closed after a single request/response pair. In HTTP/1.1 a keep-alive-mechanism was introduced, where a connection could be reused for more than one requestSony Vaio VGN-CR21/B Battery .
Such persistent connections reduce request latency perceptibly, because the client does not need to re-negotiate the TCP connection after the first request has been sent.
Version 1.1 of the protocol made bandwidth optimization improvements to HTTP/1.0 Sony Vaio VGN-CR21E/L Battery .
For example, HTTP/1.1 introduced chunked transfer encoding to allow content on persistent connections to be streamed, rather than buffered. HTTP pipelining further reduces lag time, allowing clients to send multiple requests before a previous response has been received to the first one Sony Vaio VGN-CR21E/P Battery .
Another improvement to the protocol was byte serving, which is when a server transmits just the portion of a
HTTP session state
HTTP is a stateless protocol. A stateless protocol does not require the server to retain information or status about each user for the duration of multiple requests. Sony Vaio VGN-CR21E/W Battery
For example, when a web server is required to customize the content of a web page for a user, the web application may have to track the user's progress from page to page. A common solution is the use of HTTP cookies. Other methods include server side sessions, hidden variables (when the current page is a form), and URL-rewriting using URI-encoded parameters, Sony Vaio VGN-CR21S/L Battery
There are currently two methods of establishing a secure HTTP connection: the https URI scheme and the HTTP 1.1 Upgrade header, introduced by RFC 2817. Browser support for the Upgradeheader is, however, nearly non-existent, so HTTPS is still the dominant method of establishing a secure HTTP connection Sony Vaio VGN-CR21S/P Battery .
Secure HTTP is notated by the prefix https:// instead of http:// on web URIs.
https URI scheme
https is a URI scheme that is, aside from the scheme token, syntactically identical to the http scheme used for normal HTTP connections, but which signals the browser to use an added encryption layer of SSL/TLS to protect the traffic. Sony Vaio VGN-CR21S/W Battery
SSL is especially suited for HTTP since it can provide some protection even if only one side of the communication is authenticated. This is the case with HTTP transactions over the Internet, where typically only the server is authenticated (by the client examining the server's certificate). Sony Vaio VGN-CR21Z/N Battery
HTTP 1.1 Upgrade header field
HTTP 1.1 introduced support for the Upgrade header field. In the exchange, the client begins by making a clear-text request, which is later upgraded to Transport Layer Security (TLS). Either the client or the server may request that the connection be upgraded Sony Vaio VGN-CR21Z/R Battery
. The most common usage is a clear-text request by the client followed by a server demand to upgrade the connection:
GET /encrypted-area HTTP/1.1
Host: www.example.comSony Vaio VGN-CR220E/R Battery
HTTP/1.1 426 Upgrade Required
Upgrade: TLS/1.0, HTTP/1.1
Connection: Upgrade Sony Vaio VGN-CR23/B Battery
The server returns a 426 status-code to alert legacy clients that the failure was client-related (400 level codes indicate a client failure: List of HTTP status codes).
This method for establishing a secure connection is advantageous because it: Sony Vaio VGN-CR23/P Battery
- Does not require messy and problematic redirection and URL rewriting on the server side.
- Enables virtual hosting of secured websites (although HTTPS also allows this using Server Name Indication). Sony Vaio VGN-CR23/R Battery
- Reduces the potential for user confusion by providing a single way to access a particular resource.
A disadvantage of this method is that the client cannot specify the requirement for a secure HTTP in the URI. Thus, the (untrusted) server will be responsible for enabling secure HTTP, not the (trusted) client. HP Pavilion DM3 battery
Below is a sample conversation between an HTTP client and an HTTP server running on www.example.com, port 80.
GET /index.html HTTP/1.1HP Pavilion DM4 battery
A client request (consisting in this case of the request line and only one header) is followed by a blank line, so that the request ends with a double newline, each in the form of a carriage return followed by a line feed. HP Pavilion DV6-1210SA battery
The "Host" header distinguishes between various DNS names sharing a single IP address, allowing name-based virtual hosting. While optional in HTTP/1.0, it is mandatory in HTTP/1.1. Dell N3010 battery
A server response is followed by a blank line and text of the requested page. The ETag (entity tag) header is used to determine if a cached version of the requested resource is identical to the current version of the resource on the server. Dell Inspiron N4010 battery
Content-Type specifies the Internet media type of the data conveyed by the http message, while Content-Length indicates its length in bytes. The HTTP/1.1webserver publishes its ability to respond to requests for certain byte ranges of the document by setting the header Accept-Ranges: bytesDell INSPIRON 9100 battery
. This is useful, if the client needs to have only certain portions of a resource sent by the server, which is called byte serving. When Connection: close is sent in a header, it means that the web server will close the TCP connection immediately after the transfer of this response. Dell XPS 1340 battery
In the context of an HTTP transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request . Dell Inspiron 1464 battery
Before transmission, the user name is appended with a colon and concatenated with the password. The resulting string is encoded with the Base64 algorithm. For example, given the user name 'Aladdin' and password 'open sesame', the string 'Aladdin:open sesame' is Base64 encoded, resulting in 'QWxhZGRpbjpvcGVuIHNlc2FtZQ=='. The Base64-encoded string is transmitted and decoded by the receiver, resulting in the colon-separated user name and password string. Dell Inspiron 1764 battery
While encoding the user name and password with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded. Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible. Dell Inspiron 1564 battery
The basic access authentication was originally defined by RFC 1945 (Hypertext Transfer Protocol – HTTP/1.0) although further information regarding security issues may be found in RFC 2616 (Hypertext Transfer Protocol – HTTP/1.1) and RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication). Dell Inspiron 1720 battery
Basic and Digest Access Authentication provided directly in HTTP/1.1.
One advantage of the basic access authentication is that it is supported by all web browsers. It is rarely used on publicly accessible Internet web sites but may sometimes be used by small, private systems. Dell Inspiron Mini 12 battery
A later mechanism, digest access authentication, was developed in order to replace the basic access authentication and enable credentials to be passed in a relatively secure manner over an otherwise insecure channel. Dell LATITUDE D800 battery
Programmers and system administrators sometimes use basic access authentication, in a trusted network environment, to manually test web servers using Telnet or other plain-text network tools. This is a cumbersome process, but the network traffic is human-readable for diagnostic purposes. Dell Inspiron 6400 AC Adapter
Although the scheme is easily implemented, it relies on the assumption that the connection between the client and server computers is secure and can be trusted. Specifically, if SSL/TLS is not used, then the credentials are passed as plaintext and could be intercepted. SONY VAIO VGN-FWZJ/H Battery
Existing browsers retain authentication information until the tab or browser is closed or the user clears the history.  HTTP does not provide a method for a server to direct clients to discard these cached credentials. SONY VAIO VGN-FW41M/H Battery
further extensions to HTTP, or use of existing alternative techniques such as retrieving the page over SSL/TLS with an unguessable string in the URL.
Content negotiation is a mechanism defined in the HTTP specification that makes it possible to serve different versions of a document SONY VAIO VGN-FW90NS Battery
(or more generally, a resource) at the same URI, so that user agents can specify which version fit their capabilities the best. One classical use of this mechanism is to serve an image inGIF or PNG format, so that a browser that cannot display PNG images (e.g. MS Internet Explorer 4) will be served the GIF version. SONY VAIO VGN-FW83XS Battery
To summarize how this works, when a user agent submits a request to a server, the user agent informs the server what media types it understands with ratings of how well it understands them. More precisely, the user agent provides an Accept HTTP header that lists acceptable media types and associated quality factors. SONY VAIO VGN-FW83JS Battery
The server is then able to supply the version of the resource that best fits the user agent's needs.
So, a resource may be available in several different representations. For example, it might be available in different languages or different media types, or a combination. SONY VAIO VGN-FW30B Battery
One way of selecting the most appropriate choice is to give the user an index page, and let them select. However it is often possible for the server to choose automatically. This works because browsers can send information as part of each request about the representations they prefer. SONY VAIO VGN-AW41MF/H Battery
For example, a browser could indicate that it would like to see information in French, if possible, else English will do. Browsers indicate their preferences by headers in the request. To request only French representations, the browser would sendSONY VAIO VGN-AW41MF Battery
Representational State Transfer (REST) is a style of software architecture for distributed hypermedia systems such as the World Wide Web. The term Representational State Transfer was introduced and defined in 2000 by Roy Fielding in his doctoral dissertation. Fielding is one of the principal authors of the Hypertext Transfer Protocol (HTTP) specification versions 1.0 and 1.1. SONY VAIO VGN-AW41JF/H Battery
Conforming to the REST constraints is referred to as being ‘RESTful’.[5
REST's client–server separation of concerns simplifies component implementation, reduces the complexity of connector semantics, improves the effectiveness of performance tuning, and increases the scalability of pure server components. SONY VAIO VGN-FW38M Battery
Layered system constraints allow intermediaries—proxies, gateways, and firewalls—to be introduced at various points in the communication without changing the interfaces between components, thus allowing them to assist in communication translation or improve performance via large-scale, shared caching. SONY VAIO VGN-FW31Z Battery
REST enables intermediate processing by constraining messages to be self-descriptive: interaction is stateless between requests, standard methods and media types are used to indicate semantics and exchange information, and responses explicitly indicate cacheability. SONY VAIO VGN-FW31M Battery
In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests fromclients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. SONY VAIO VGN-FW31B Battery
The proxy server evaluates the request according to its filtering rules. For example, it may filter traffic by IP address or protocol. If the request is validated by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client. SONY VAIO VGN-FW31E Battery
A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server. In this case, it 'caches' responses from the remote server, and returns subsequent requests for the same content directly. SONY VAIO VGN-FW31J Battery
Most proxies are a web proxy, allowing access to content on the World Wide Web.
A proxy server has a large variety of potential purposes, including:
- To keep machines behind it anonymous (mainly for security). Sony VGP-BPS21 Battery
- To speed up access to resources (using caching). Web proxies are commonly used to cache web pages from a web server.
- To apply access policy to network services or content, e.g. to block undesired sites.
- To log / audit usage, i.e. to provide company employee Internet usage reporting.
- To bypass security/ parental controls. Sony VGP-BPS21A Battery
- To scan transmitted content for malware before delivery.
- To scan outbound content, e.g., for data leak protection.
- To circumvent regional restrictions. Sony VGP-BPS21/S Battery
A proxy server that passes requests and replies unmodified is usually called a gateway or sometimes tunneling proxy.
A proxy server can be placed in the user's local computer or at various points between the user and the destination servers on the Internet. Sony VGP-BPS21A/B Battery
A reverse proxy is (usually) an Internet-facing proxy used as a front-end to control and protect access to a server on a private network, commonly also performing tasks such as load-balancing, authentication, decryption or caching. SONY VGP-BPS21 Battery
Forward proxies are proxies where the client server names the target server to connect to. Forward proxies are able to retrieve from a wide range of sources (in most cases anywhere on the Internet). SONY VGP-BPS21A Battery
The terms "forward proxy" and "forwarding proxy" are a general description of behaviour (forwarding traffic) and thus ambiguous. Except for Reverse proxy, the types of proxies described on this article are more specialized sub-types of the general forward proxy concept. SONY VGP-BPS21B Battery
An open proxy is a forward proxy server that is accessible by any Internet user. Gordon Lyon estimates there are "hundreds of thousands" of open proxies on the Internet. An anonymous open proxy allows users to conceal their IP address while browsing the Web or using other Internet services. SONY VGP-BPS21/S Battery
A reverse proxy is a proxy server that appears to clients to be an ordinary server. Requests are forwarded to one or more origin servers which handle the request. The response is returned as if it came directly from the proxy server. SONY VGP-BPS21A/B Battery
Reverse proxies are installed in the neighborhood of one or more web servers. All traffic coming from the Internet and with a destination of one of the web servers goes through the proxy server. The use of "reverse" originates in its counterpart "forward proxy" since the reverse proxy sits closer to the web server and serves only a restricted set of websites. SONY VGP-BPS13/Q Battery
There are several reasons for installing reverse proxy servers:
- Encryption / SSL acceleration: when secure web sites are created, the SSL encryption is often not done by the web server itself, but by a reverse proxy that is equipped with SSL acceleration hardware. See Secure Sockets Layer. SONY VGP-BPS13/Q Battery
- Furthermore, a host can provide a single "SSL proxy" to provide SSL encryption for an arbitrary number of hosts; removing the need for a separate SSL Server Certificate for each host, with the downside that all hosts behind the SSL proxy have to share a common DNS name or IP address for SSL connections. SONY VGP-BPS13B/Q Battery
- This problem can partly be overcome by using the SubjectAltName feature of X.509 certificates.
- Load balancing: the reverse proxy can distribute the load to several web servers, each web server serving its own application area. SONY VGP-BPS13A/Q Battery
- In such a case, the reverse proxy may need to rewrite the URLs in each web page (translation from externally known URLs to the internal locations).
- Serve/cache static content: A reverse proxy can offload the web servers by caching static content like pictures and other static graphical content. SONY VGP-BPS13A/Q Battery
- Compression: the proxy server can optimize and compress the content to speed up the load time.
- Spoon feeding: reduces resource usage caused by slow clients on the web servers by caching the content the web server sent and slowly "spoon feeding" it to the client. Toshiba Satellite M300 Battery
- This especially benefits dynamically generated pages.
- Security: the proxy server is an additional layer of defense and can protect against some OS and WebServer specific attacks. However, it does not provide any protection to attacks against the web application or service itself, which is generally considered the larger threat. Toshiba Satellite 1200 Battery
- Extranet Publishing: a reverse proxy server facing the Internet can be used to communicate to a firewalled server internal to an organization, providing extranet access to some functions while keeping the servers behind the firewalls. Toshiba Satellite A200 Battery
- If used in this way, security measures should be considered to protect the rest of your infrastructure in case this server is compromised, as its web application is exposed to attack from the Internet. Sony VGP-BPS21 battery
A content-filtering web proxy server provides administrative control over the content that may be relayed through the proxy. It is commonly used in both commercial and non-commercial organizations (especially schools) to ensure that Internet usage conforms to acceptable use policy. Sony VGP-BPS14 battery
In some cases users can circumvent the proxy, since there are services designed to proxy information from a filtered website through a non filtered site to allow it through the user's proxy.
A content filtering proxy will often support user authentication, to control web access. Sony VGP-BPL8 battery
It also usually produces logs, either to give detailed information about the URLs accessed by specific users, or to monitor bandwidth usage statistics. It may also communicate to daemon-based and/or ICAP-based antivirus software to provide security against virus and other malware by scanning incoming content in real time before it enters the network. Sony VGP-BPS22 battery
Many work places, schools, and colleges restrict the web sites and online services that are made available in their buildings. This is done either with a specialized proxy, called a content filter (both commercial and free products are available), or by using a cache-extension protocol such as ICAP, that allows plug-in extensions to an open caching architecture. Sony VGP-BPS11 battery
Some common methods used for content filtering include: URL or DNS blacklists, URL regex filtering, MIME filtering, or content keyword filtering. Some products have been known to employ content analysis techniques to look for traits commonly used by certain types of content providers. Sony VGP-BPS9 battery
Requests made to the open internet must first pass through an outbound proxy filter. The web-filtering company provides a database of URL patterns (regular expressions) with associated content attributes. This database is updated weekly by site-wide subscription, much like a virus filter subscription. Sony VGP-BPS10 battery
The administrator instructs the web filter to ban broad classes of content (such as sports, pornography, online shopping, gambling, or social networking). Requests that match a banned URL pattern are rejected immediately. Toshiba PA3399U-2BRS battery
Assuming the requested URL is acceptable, the content is then fetched by the proxy. At this point a dynamic filter may be applied on the return path. For example, JPEG files could be blocked based on fleshtone matches, or language filters could dynamically detect unwanted language. If the content is rejected then an HTTP fetch error is returned and nothing is cached. Toshiba Satellite T4900 Battery
Most web filtering companies use an internet-wide crawling robot that assesses the likelihood that a content is a certain type (e.g. "This content is 70% chance of porn, 40% chance of sports, and 30% chance of news" could be the outcome for one web page). The resultant database is then corrected by manual labor based on complaints or known flaws in the content-matching algorithms.Toshiba Satellite L305 Battery
Web filtering proxies are not able to peer inside secure sockets HTTP transactions, assuming the chain-of-trust of SSL/TLS has not been tampered with. As a result, users wanting to bypass web filtering will typically search the internet for an open and anonymous HTTPS transparent proxy. SONY VGN -FZ210CE Battery
They will then program their browser to proxy all requests through the web filter to this anonymous proxy. Those requests will be encrypted with https. The web filter cannot distinguish these transactions from, say, a legitimate access to a financial website. Thus, content filters are only effective against unsophisticated users. Dell Precision M70 Battery
As mentioned above, the SSL/TLS chain-of-trust does rely on trusted root certificate authorities; in a workplace setting where the client is managed by the organization, trust might be granted to a root certificate whose private key is known to the proxy. Acer Aspire One battery 10400mAh
Concretely, a root certificate generated by the proxy is installed into the browser CA list by IT staff. In such scenarios, proxy analysis of the contents of a SSL/TLS transaction becomes possible. The proxy is effectively operating a man-in-the-middle attack, allowed by the client's trust of a root certificate the proxy owns. Toshiba Satellite P10 Battery
A special case of web proxies is "CGI proxies". These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality. These types of proxies are frequently used to gain access to web sites blocked by corporate or school proxies. Dell RM791 battery
Since they also hide the user's own IP address from the web sites they access through the proxy, they are sometimes also used to gain a degree of anonymity, called "Proxy Avoidance".
A caching proxy server accelerates service requests by retrieving content saved from a previous request made by the same client or even other clients. Dell Inspiron E1505 battery
Caching proxies keep local copies of frequently requested resources, allowing large organizations to significantly reduce their upstream bandwidth usage and costs, while significantly increasing performance. Most ISPs and large businesses have a caching proxy. Caching proxies were the first kind of proxy server. Dell Studio 1737 battery
Some poorly-implemented caching proxies have had downsides (e.g., an inability to use user authentication). Some problems are described in RFC 3143 (Known HTTP Proxy/Caching Problems).
Another important use of the proxy server is to reduce the hardware cost. Dell Inspiron 300M Battery
An organization may have many systems on the same network or under control of a single server, prohibiting the possibility of an individual connection to the Internet for each system. In such a case, the individual systems can be connected to one proxy server, and the proxy server connected to the main server. Dell Latitude E4200 Battery
Bypassing filters and censorship
If the destination server filters content based on the origin of the request, the use of a proxy can remove this filter. For example, a server using IP-based geolocation to restrict its service to a certain country can be accessed using a proxy located in that country to access the service. Dell Latitude E5400 Battery
Likewise, a badly configured proxy can provide access to a network otherwise isolated from the Internet.
Logging and eavesdropping
Proxies can be installed in order to eavesdrop upon the data-flow between client machines and the web. Sony VGN-FW139E/H battery
All content sent or accessed – including passwords submitted and cookies used – can be captured and analyzed by the proxy operator. For this reason, passwords to online services (such as webmail and banking) should always be exchanged over a cryptographically secured connection, such as SSL. Sony VGN-FW11M Battery
By chaining proxies which do not reveal data about the original requester, it is possible to obfuscate activities from the eyes of the user's destination. However, more traces will be left on the intermediate hops, which could be used or offered up to trace the user's activities. Sony VGN-FW11S Battery
If the policies and administrators of these other proxies are unknown, the user may fall victim to a false sense of security just because those details are out of sight and mind.
In what is more of an inconvenience than a risk, proxy users may find themselves being blocked from certain Web sites, Dell Inspiron Mini 10 Battery
as numerous forums and Web sites block IP addresses from proxies known to have spammed or trolled the site. Proxy bouncing can be used to maintain your privacy.
Gateways to private networks
Proxy servers can perform a role similar to a network switch in linking two networks. Dell Latitude D620 Battery
Accessing services anonymously
An anonymous proxy server (sometimes called a web proxy) generally attempts to anonymize web surfing. There are different varieties of anonymizers. The destination server (the server that ultimately satisfies the web request) receives requests from the anonymizing proxy server, and thus does not receive information about the end user's address Dell Latitude D830 Battery.
However, the requests are not anonymous to the anonymizing proxy server, and so a degree of trust is present between the proxy server and the user. Many of them are funded through a continued advertising link to the user. Toshiba Satellite M60 battery
Access control: Some proxy servers implement a logon requirement. In large organizations, authorized users must log on to gain access to the web. The organization can thereby track usage to individuals. Toshiba Satellite M65 battery
Some anonymizing proxy servers may forward data packets with header lines such as HTTP_VIA, HTTP_X_FORWARDED_FOR, or HTTP_FORWARDED, which may reveal the IP address of the client. Other anonymizing proxy servers, known as elite or high anonymity proxies, only include the REMOTE_ADDR header with the IP address of the proxy server, making it appear that the proxy server is the client. Dell Latitude D610 Battery
A website could still suspect a proxy is being used if the client sends packets which include a cookie from a previous visit that did not use the high anonymity proxy server. Clearing cookies, and possibly the cache, would solve this problem. Dell Studio 1457 Battery
A proxy that focuses on World Wide Web traffic is called a "web proxy". The most common use of a web proxy is to serve as a web cache. Most proxy programs provide a means to deny access to URLs specified in a blacklist, thus providing content filtering. Dell Studio 1450 Battery
This is often used in a corporate, educational, or library environment, and anywhere else where content filtering is desired. Some web proxies reformat web pages for a specific purpose or audience, such as for cell phones and PDAs. Dell Inspiron 1320n Battery
A suffix proxy server allows a user to access web content by appending the name of the proxy server to the URL of the requested content (e.g. "en.wikipedia.org.example.com"). Suffix proxy servers are easier to use than regular proxy servers. SONY VGP-BPS13AS Battery
An intercepting proxy (also forced proxy or transparent proxy) combines a proxy server with a gateway or router(commonly with NAT capabilities). Connections made by client browsers through the gateway are diverted to the proxy without client-side configuration (or often knowledge). SONY VGP-BPS13A/S Battery
Connections may also be diverted from a SOCKS server or other circuit-level proxies.
RFC 2616 (Hypertext Transfer Protocol—HTTP/1.1) offers standard definitions:
"A 'transparent proxy' is a proxy that does not modify the request or response beyond what is required for proxy authentication and identification".SONY VGP-BPS13B/B Battery
"A 'non-transparent proxy' is a proxy that modifies the request or response in order to provide some added service to the user agent, such as group annotation services, media type transformation, protocol reduction, or anonymity filtering".SONY VGP-BPS13A/B Battery
A security flaw in the way that transparent proxies operate was published by Robert Auger in 2009  and advisory by the Computer Emergency Response Team  was issued listing dozens of affected transparent, and intercepting proxy servers. SONY VGP-BPS13/S Battery
Intercepting proxies are commonly used in businesses to prevent avoidance of acceptable use policy, and to ease administrative burden, since no client browser configuration is required. This second reason however is mitigated by features such as Active Directory group policy, or DHCP and automatic proxy detection. SONY VGP-BPS8 Battery
Intercepting proxies are also commonly used by ISPs in some countries to save upstream bandwidth and improve customer response times by caching. This is more common in countries where bandwidth is more limited (e.g. island nations) or must be paid for. SONY VAIO VGN-FZ38M Battery
The diversion / interception of a TCP connection creates several issues. Firstly the original destination IP and port must somehow be communicated to the proxy. This is not always possible (e.g. where the gateway and proxy reside on different hosts). SONY VAIO VGN-FZ31Z Battery
There is a class of cross site attacks which depend on certain behaviour of intercepting proxies that do not check or have access to information about the original (intercepted) destination. This problem can be resolved by using an integrated packet-level and application level appliance or software which is then able to communicate this information between the packet handler and the proxy. SONY VAIO VGN-FZ31M Battery
Intercepting also creates problems for HTTP authentication, especially connection-oriented authentication such as NTLM, since the client browser believes it is talking to a server rather than a proxy. This can cause problems where an intercepting proxy requires authentication, then the user connects to a site which also requires authentication. SONY VAIO VGN-FZ31J Battery
Finally intercepting connections can cause problems for HTTP caches, since some requests and responses become uncacheble
Therefore intercepting connections is generally discouraged. However due to the simplicity of deploying such systems, they are in widespread use. SONY VAIO VGN-FZ31B Battery
Interception can be performed using Cisco's WCCP (Web Cache Control Protocol). This proprietary protocol resides on the router and is configured from the cache, allowing the cache to determine what ports and traffic is sent to it via transparent redirection from the router. This redirection can occur in one of two ways: GRE Tunneling (OSI Layer 3) or MAC rewrites (OSI Layer 2). SONY VAIO VGN-FZ31E Battery
Once traffic reaches the proxy machine itself interception is commonly performed with NAT (Network Address Translation). Such setups are invisible to the client browser, but leave the proxy visible to the web server and other devices on the Internet side of the proxy. SONY VAIO VGN-FZ4000 Battery
Recent releases of Linux and some BSD provide TPROXY (Transparent Proxy) which performs IP-level (OSI Layer 3) transparent interception and Spoofing of outbound traffic. Hiding the proxy IP address from other network devices. SONY VAIO VGN-FZ480E Battery
There are several methods that can often be used to detect the presence of an intercepting proxy server:
- By comparing the client's external IP address to the address seen by an external web server, or sometimes by examining the HTTP headers received by a server SONY VAIO VGN-FZ460E Battery .
- A number of sites have been created to address this issue, by reporting the user's IP address as seen by the site back to the user in a web page.
- By comparing the sequence of network hops reported by a tool such as traceroute for a proxied protocol such as http (port 80) with that for a non proxied protocol such as SMTP (port 25) SONY VAIO VGN-FZ340E Battery
- By attempting to make a connection to an IP address at which there is known to be no server. The proxy will accept the connection and then attempt to proxy it on. When the proxy finds no server to accept the connection it may return an error message or simply close the connection to the client. SONY VAIO VGN-FZ220E Battery
- This difference in behaviour is simple to detect. For example most web browsers will generate a browser created error page in the case where they cannot connect to an HTTP server but will return a different error in the case where the connection is accepted and then closed. SONY VAIO VGN-FZ180E Battery
Tor onion proxy software
The Tor anonymity network ('Tor' for short) is a system aiming at online anonymity. Tor is an implementation of onion routing. It works by relaying communications through a network of systems run by volunteers in various locations. Sony VAIO VGN-NR11Z/T Battery
By keeping some of the network entry points hidden, Tor is also able to evade internet censorship. Tor is intended to protect users' personal freedom, privacy, and ability to conduct confidential business.
Users of a Tor network run an onion proxy software on their computer. Sony VAIO VGN-NR11M/S Battery
The Tor software periodically negotiates a virtual circuitthrough the Tor network. At the same time, the onion proxy software presents a SOCKS interface to its clients or users. SOCKS-ifying applications like Polipo may be linked with the Tor onion proxy software, which then multiplexes the traffic through a Tor virtual circuit. Sony VAIO VGN-NR11Z/S Battery
The software is open-source and the network is free of charge to use. Vidalia is a cross-platform controller GUI for Tor.
The I2P anonymous network ('I2P') is a proxy network aiming at online anonymity. Sony VAIO VGN-NR11S/S Battery
It implements garlic routing, which is an enhancement of Tor's onion routing. I2P is fully distributed and works by encrypting all communications in various layers and relaying them through a network of routers run by volunteers in various locations. By keeping the source of the information hidden, I2P offers censorship resistance. Sony VAIO VGN-FW21E Battery
The goals of I2P are to protect users' personal freedom, privacy, and ability to conduct confidential business.
Each user of I2P runs an I2P router on their computer (node). The I2P router takes care of finding other peers and building anonymizing tunnels through them. SONY VAIO VGN-NR11Z/T Battery
I2P provides proxies for all protocols (HTTP, irc, SOCKS, ...).
The software is free and open-source, and the network is free of charge to use.
The captive portal technique forces an HTTP client on a network to see a special web page (usually for authentication purposes) before using the Internet normally. SONY VAIO VGN-NR11Z/S Battery
A captive portal turns a Web browser into an authentication device. This is done by intercepting all packets, regardless of address or port, until the user opens a browser and tries to access the Internet. At that time the browser is redirected to a web page which may require authentication and/or payment, or simply display an acceptable use policyand require the user to agree. SONY VAIO VGN-NR11M/S Battery
Captive portals are used at most Wi-Fi hotspots, and it can be used to control wired access (e.g. apartment houses, hotel rooms, business centers, "open" Ethernet jacks) as well.
Since the login page itself must be presented to the client, either that login page is locally stored in the gateway, or the web serverhosting that page must be "whitelisted" via a walled garden to bypass the authentication process. SONY VAIO VGN-NR11S/S Battery
Depending on the feature set of the gateway, multiple web servers can be whitelisted (say for iframes or links within the login page). In addition to whitelisting the URLsof web hosts, some gateways can whitelist TCP ports. The MAC address of attached clients can also be set to bypass the login process. SONY VAIO VGN-FW21E Battery
There is more than one way to implement a captive portal.
Redirection by HTTP
If an unauthenticated client requests a website, DNS is queried by the browser and the appropriate IP resolved as usual. The browser then sends an HTTP request to that IP address. SONY VAIO VGN-FW31J Battery
This request, however, is intercepted by a firewall and forwarded to a redirect server. This redirect server responds with a regular HTTP response which contains HTTP status code 302 to redirect the client to the Captive Portal. To the client, this process is totally transparent. The client assumes that the website actually responded to the initial request and sent the redirect. SONY VAIO VGN-FW31J Battery
Client traffic can also be redirected using IP redirect on the layer 3 level. This has the disadvantage that content served to the client does not match the URL. SONY VAIO VGN-FZ21E Battery
Redirection by DNS
When a client requests a website, DNS is queried by the browser. The firewall will make sure that only the DNS server(s) provided by DHCP can be used by unauthenticated clients (or, alternatively, it will forward all DNS requests by unauthenticated clients to that DNS server). SONY VAIO VGN-FZ18 Battery
This DNS server will return the IP address of the Captive Portal page as a result of all DNS lookups.
The DNS poisoning technique used here, when not considering answers with a TTL of 0, may negatively affect post-authenticated internet use when the client machine references non-authentic data in its local resolver cache. HP Pavilion DV8000 battery
Some naive implementations don't block outgoing DNS requests from clients, and therefore are very easy to bypass; a user simply needs to configure their computer to use another, public, DNS server. Implementing a firewall or ACL that ensures no inside clients can use an outside DNS server is critical. HP Pavilion DV6000 battery
WinGate is an Integrated Gateway Management system for Microsoft Windows, providing firewall and NAT services, along with a number of integrated proxy servers and email services (SMTP, POP3 and IMAP servers). HP Pavilion DV8000 battery
In the mid to late 1990s, WinGate was almost ubiquitous in homes and small businesses that needed to share a single Internet connection between multiple networked computers. The introduction ofInternet Connection Sharing in Windows 98 however, combined with increasing availability of cheap NAT-enabled routers HP Pavilion DV6000 battery ,
forced WinGate to evolve to provide more than just internet connection sharing features. Today, focus for WinGate users is primarily access control, reporting, bandwidth management and content filtering.
WinGate comes in three versions, Standard, Professional and Enterprise. SONY VAIO VGN-FZ Battery
The Enterprise edition also provides an easily configured virtual private network system, which is also available separately as WinGate VPN. Licensing is tiered by the number of concurrently connected users, and available in a range of sizes to suit any budget or network size. HP PAVILION DV8000 Battery
From version 6.5, WinGate runs on Microsoft Windows from Windows 2000 to Windows 7, both 32 and 64 bit. Prior versions are still available for earlier OSes back to Microsoft Windows 95. At its core, WinGate provides all 3 levels of Internet Access: a stateful packet-level firewall with NAT, HP PAVILION DV6000 Battery
several circuit-level proxies (SOCKS 4/5, and proprietary Winsock redirector), and multiple proxy servers. This provides a comprehensive access framework, and allows the maximum level of access control.
WinGate's policy framework allows the creation of specific access rules, based on user account details, request details, location of user, authentication level and time of day HP Pavilion dv8000 battery .
The policy framework is based on a user database and user authentication. WinGate allows use of either WinGate's built-in user database, the Windows user database, or the user database of an NT domain or Active Directory. Authentication can use integrated windows usernames and passwords (NTLM) and other authentication schemes. HP Pavilion dv6000 Battery
WinGate can also be used without authentication, or can assume user identity based on IP address or computer name.
WinGate can also authenticate individual users on a Terminal server, and maintain separate user contexts to provide user-level control, and for applications that do not support authentication by using the WinGate Client software. Dell Inspiron E1505 battery
WinGate provides a fully customizable, self-configuring DHCP server to assist with network configuration. It also supports multi-interface and multiple topology deployment including multiple DMZs. Sony VGP-BPL15 battery
WinGate provides an integrated Email server (POP3 server and retrieval client, SMTP server, and IMAP4 server) with message routing features and per-email restrictions. This can be used to provide company email services, or to provide protection and additional security (encryption and authentication) for an existing email system. Sony VGP-BPS13B/B battery
The WWW Proxy provides a transparent proxy for ease of administration, plus a shared proxy cache for improved surfing performance. It can also be used to secure access to internal web servers with either browser-based authentication or a Java-based applet. Sony VGP-BPL9 battery
Proxy services in WinGate support SSL/TLS connections, dynamic network binding (automatic response to network events such as addition or removal of network interfaces), and gateway pre-selection (to direct service for a particular application out a specific Internet connection). Sony VGP-BPS13B/B battery
Packet-level bandwidth management is also provided to allow control of bandwidth associated with certain users or applications, and is able to be configured on a per-time-of-day basis.
Also available for WinGate are optional components that provide Antivirus scanning for email, web and FTP, and content filtering for web traffic. Sony VGP-BPS13A/B battery
Versions of WinGate prior to 2.1d (1997) shipped with an insecure default configuration that - if not secured by the network administrator - allowed untrusted third parties to proxy network traffic through the WinGate server. Sony VGP-BPS13/S battery
This made open WinGate servers common targets of crackers looking for anonymous redirectors through which to attack other systems. While WinGate was by no means the only exploited proxy server, its wide popularity amongst users with little experience administering networks made it almost synonymous with open SOCKS proxies in the late 1990s. Sony VGP-BPS13/B battery
Furthermore since a restricted (2 users) version of the product was freely available without registration, contacting all WinGate users to notify of security issues was impossible, and therefore even long after the security problems were resolved there were still many insecure installations in use. Sony VGP-BPS13 battery
Sobig worm and WinGate 5
Some versions of the Sobig worm installed a pirated copy of WinGate 5 in a deliberately insecure configuration to be used by spammers. These installations used non-standard ports for SOCKS and WinGate remote control and so in general did not interfere with other software running on the infected host computer. Dell Studio 1555 battery
This resulted in some antivirus software incorrectly identifying WinGate as malwareand removing it.
WinGate 7 - the next generation
Since early 2006 Qbik has been in development for the successor to WinGate 6. Dell KM958 battery
Initially labelled WinGate 2007, a technical preview was eventually made available in June 2007, slated for release in early 2008. At this time the revolutionary new policy system was introduced, based around a flow-chart decision tree which provided complete user-control over policy structure. Soon after this the product was re-labelled WinGate 2008. Dell XPS M1210 Battery
The year 2008 came and went without a WinGate release. As did 2009. Qbik however was still in full development of WinGate 7 as it is now called, and in fact moved their own company gateway to the product in December 2009. SONY VAIO VGN-FW33GW Battery
Since March 2010 betas of WinGate 7 have been available to people registered in the WinGate 7 beta program. A built-in updater service keeps these beta users up-to-date, and updates have been released on a nearly weekly basis. SONY VAIO VGN-FW33G/E1 Battery
In September 2010 Qbik officially launched a youtube channel, showing a number of videos showing WinGate 7 in operation. Finally it could be seen in a concrete form. The following month Qbik opened up its WinGate 7 Beta forum to the general public and invited all interested to participate in the beta program. SONY VAIO VGN-FW290JTH Battery
With such a long development cycle it's inevitable parallels were drawn with other projects that suffered extended delays. Qbik insists that development on WinGate 7 is still highest priority, and that delays are caused by restructuring, and new feature development. A full public beta is expected by end Mar 2011. SONY VAIO VGN-FW290JTB Battery
Metadata removal tool or Metadata scrubber is a type of privacy software built to protect the privacy of its users by removing potentially privacy-compromising metadata from files before they are shared with others (e.g. by sending them as e-mail attachments or by posting them on the Web). SONY VAIO VGN-FW29/B Battery
Metadata can be found in many types of files such as documents, spreadsheets, presentations, images, and audio files. They can include information such as details on the file authors, file creation and modification dates, document revision history, and comments. SONY VAIO VGN-FW27T/H Battery
Since metadata is sometimes not clearly visible in authoring applications (depending on the application and its settings), there is a risk that the user will be unaware of its existence or will forget about it and, if the file is shared, private or confidential information will inadvertently be exposed. The purpose of metadata removal tools is to minimize the risk of such data leakage. SONY VAIO VGN-FW31ZJ Battery
The metadata removal tools that exist today can be divided into four groups:
- Integral metadata removal tools, which are included in some applications, like the Document Inspector in Microsoft Office 2007.
- Batch metadata removal tools, which can process multiple files. SONY VAIO VGN-FW27/W Battery
- E-mail client add-ins, which are designed to remove metadata from e-mail attachments just before they are sent.
- Server based systems, which are designed to automatically remove metadata at the network gateway. SONY VAIO VGN-FW27/B Battery
HTTP Tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a covert channel that the network protocol being tunneled uses to communicate. SONY VAIO VGN-FW26T/B Battery
The HTTP stream with its covert channel is termed an HTTP Tunnel.
HTTP Tunnel software consists of client-server HTTP Tunneling applications that integrate with existing application software, permitting them to be used in conditions of restricted network connectivity including firewalled networks, networks behind proxy servers, and NATs. SONY VAIO VGN-FW25T/B Battery
An HTTP Tunnel is used most often as a means for communication from network locations with restricted connectivity – most often behind NATs, firewalls, or proxy servers, and most often with applications that lack native support for communication in such conditions of restricted connectivity. SONY VAIO VGN-FW21Z Battery
Restricted connectivity in the form of blocked TCP/IP ports, blocking traffic initiated from outside the network, or blocking of all network protocols except a few is a commonly used method to lock down a network to secure it against internal and external threats.SONY VAIO VGN-FW21M Battery
The application that wishes to communicate with a remote host opens an HTTP connection to a mediator server, which acts as a relay of communications to and from the remote host. The application then communicates with the mediator server using HTTP requests, encapsulating the actual communications within those requests. SONY VAIO VGN-FW21L Battery
The mediator server is required to be in a network location with sufficiently unrestricted connectivity.
The mediator server unwraps the actual data before forwarding it to the remote host in question. Symmetrically, when it receives data from the remote host, it wraps it in the HTTP protocol before sending it as part of an HTTP response to the application. SONY VAIO VGN-FW21J Battery
In this situation, the application plays the role of a Tunneling Client, while the remote host plays the role of the server being communicated with.
HTTP CONNECT Tunneling
A variation of HTTP tunneling when behind an HTTP Proxy Server is to use the "CONNECT" HTTP method. Dell Latitude E6400 ATG Battery
In this mechanism, the client asks an HTTP Proxy server to forward the TCP connection to the desired destination using the "CONNECT" HTTP method. The server then proceeds to make the connection on behalf of the client. Asus M52N Battery
Once the connection has been established by the server, the Proxy server continues to proxy the TCP stream to and from the client. Note that only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection. SONY VAIO VGN-FW21E Battery
This mechanism is how a client behind an HTTP proxy can access websites using SSL (i.e. HTTPS).
Not all HTTP Proxy Servers support this feature, and even those that do may limit the behaviour (for example only allowing connections to the default HTTPS port 443, or blocking traffic which doesn't appear to be SSL). Ibm THINKPAD X200 Battery
HTTP Tunneling without using CONNECT
In some networks, the use of CONNECT method is restricted to some trusted sites. In this cases, a HTTP tunnel can be implemented using only usual HTTP methods as POST, GET, PUT and DELETE. This is similar to the approch used in Bidirectional-streams Over Synchronous HTTP (BOSH). Ibm THINKPAD X200 Battery
In this proof-of-concept program , a server runs outside the protected network and it acts as a normal HTTP server. A client program, from inside the protected network starts up and listen for incoming connection on some local port. Ibm THINKPAD X200 Battery
When a new connection is received on this local port, the client program comunicates with the HTTP server, over the HTTP PROXY or firewall, and request the connection to a predefined destination. All traffic is encapsulated inside normal GET and PUT request. HP Pavilion DV7 battery
HTTP Tunnel Clients
There are several free/open-source, and commercial HTTP Tunneling client applications that allow even applications that lack native tunneling support to communicate from locations with restricted connectivity. Dell Latitude E6500 battery
The free or open-source HTTP Tunneling clients are usually packaged as a pair of applications, one of which performs the role of the mediator server, the other performing the role of the Tunneling client. This requires the user to have access to their own server that they can run the mediator server software on. Dell Latitude E6500 battery
The commercial HTTP Tunneling client applications are provided by companies that run their own mediator server farms. They charge for the service provided, with various tiers of service that depend on the bandwidth provided. Dell Latitude E6500 battery
This has the infamous use for students and employees to bypass any internet filters placed on school or work computers. Rather than using the place's internet connection to get website information, it only uses it to connect to another, unrestricted-access computer.Dell Latitude E6500 battery
That computer then uses its internet connection to gather web information and send it to the person tunneling it. Similar to the remote desktop concept, but only using that computers unrestricted internet connection. Dell Latitude E6400 Battery
I2P (originally from pseudomathematical notation I²P, short for Invisible Internet Project, although it is not commonly referred to by this name anymore) is a mixed-license free and open source project building an anonymous network (or, more accurately, a pseudonymous overlay network). Dell Latitude E6400 Battery
The network is a simple layer that applications can use to anonymously and securely send messages to each other. Possible uses include anonymous surfing, chatting, blogging and file transfers.
The application itself is called an I2P router and a computer running I2P is called an I2P node - whereas those, too, are often referred to as routers. Dell Latitude E6400 battery
I2P is beta software. Developers emphasize that there are likely to be bugs in the software and that there has been insufficient peer review to date. However, they believe the code is now reasonably stable and well-developed, and more exposure can help development of I2P. Dell Vostro 1310 battery
The network itself is strictly message-based (like IP), but there is a library available to allow reliable streaming communication on top of it (similar to TCP, although from version 0.6 there is a new UDP-based SSU transport). Dell Studio 1735 battery
All communication is end-to-end encrypted (in total there are four layers of encryption used when sending a message), and even the end points ("destinations") are cryptographic identifiers (essentially a pair of public keys), so that neither sender nor recipient of a message need to reveal their IP address to the other side or to third-party observers. Dell Studio 1535 battery
Although many of the developers had been a part of the IIP and Freenet communities, there are significant differences between their designs and concepts. IIP was an anonymous centralized IRCserver. Freenet is a censorship-resistant distributed data store. Dell Vostro A860 battery
I2P is an anonymous peer-to-peer distributed communication layer designed to run any traditional internet service (e.g. Usenet, E-mail,IRC, file sharing, Web hosting and HTTP, Telnet), as well as more traditional distributed applications (e.g. a distributed data store, a web proxy network using Squid (software), and DNS). Dell Vostro A840 battery
Many developers of I2P are known only under pseudonyms. While the previous main developer, jrandom, is currently on hiatus, others, such as zzz and Complication have continued to lead development efforts, and are assisted by numerous contributors. Dell Studio XPS 1640 battery
I2P software tools
Since I2P is an anonymous network layer, it is designed so other software can use it for anonymous communication. As such there are a variety of tools currently available for I2P or in development.The I2P router is controlled through the router console which is a web frontend accessed through a web browser. Dell Vostro 1720 battery
I2PTunnel is an application embedded into I2P that allows arbitrary TCP/IP applications to communicate over I2P by setting up "tunnels" which can be accessed by connecting to pre-determined ports on localhost. Dell Vostro 1710 battery
SAM is a protocol which allows a client application written in any language to communicate over I2P, by using a socket-based interface to the I2P router.
Several programs provide BitTorrent functionality for use within the I2P network. Dell Inspiron 1320n battery
Each relies on the user being able to access the I2P network with a web browser to download the .torrent files. Users cannot connect to non-I2P torrents or peers from within I2P, nor can they connect to I2P torrents or peers from outside I2P. Dell Inspiron 1320 battery
I2PSnark, included in the I2P install package, is a port of the BitTorrent client named Snark.
Vuze, formerly known as Azureus, is a BitTorrent client that includes a plugin for I2P, allowing anonymous swarming through this network. Dell Inspiron 1764 battery
This plugin is still in an early stage of development, however it is already fairly stable.
I2P-BT is a BitTorrent client for I2P that allows anonymous swarming for file sharing. This client is a modified version of the original BitTorrent 3.4.2 program which runs on Windows and most dialects ofUnix in a GUI and command-line environment. Dell Inspiron 1564 battery
It was developed by the individual known as 'duck' on I2P in cooperation with 'smeghead'. It is no longer being actively developed; however, there is a small effort to upgrade the I2P-BT client up to par with the BitTorrent 4.0 release. Dell Inspiron 1464 battery
I2PRufus is an I2P port of the Rufus BitTorrent client.
Robert is the most actively maintened I2PRufus fork. (i2p-internal link)
And there is "I2P-Transmission".Dell Inspiron N7010 battery
iMule (invisible Mule)  is a port of the 'All-Platform' client aMule for I2P network. iMule is made for anonymous file sharing.
In contrast to other eDonkey clients, iMule only uses the Kademlia proceeding to connect trough I2P network, so no servers are needed. Dell Inspiron N5010 battery
I2Phex is a port of the popular Gnutella client Phex to I2P. It is stable and fairly functional.
I2P has a free pseudonymous e-mail service run by an individual called 'Postman'. The mail transfer servers are pop.mail.i2p (POP3) and smtp.mail.i2p(SMTP). Dell Inspiron N3610 battery
Susimail was created to address privacy concerns in using these servers directly using traditional email clients, such as leaking the user's hostname while communicating with the SMTP server. Susimail is a web-based e-mail client intended primarily for use with Postman's mail servers, and is designed with security and anonymity in mind. Dell Inspiron N4010 battery
It is currently included in the default I2P distribution, and can be accessed through the I2P router console web interface. (Note that this is only used to read and send e-mail, not to create or manage your mail.i2p account; the latter must be done at hq.postman.i2p.)Dell Inspiron 9100 battery
I2P-Bote is an end-to-end encrypted, network-internal, fully decentralized (serverless) e-mail system. It supports different identities and does not expose e-mail headers. Currently, it is still alpha software and can only be accessed via its web interface, but it will soon have pop3 support. Dell Studio XPS 1340 battery
All bote-mails are automatically end-to-end encrypted and optionally signed and thus authenticated, so that there's no need to set up e-mail encryption apart (though you can do that).
I2P-Bote offers additional anonymity by providing a high-latency transport option. Dell XPS M2010 battery
As it is decentralized, there is no e-mail server that could link different e-mail identities as communicating with each other (profiling): Even the nodes relaying the mails do not know the sender, and apart from sender and receiver, only the end of the high-latency mail route and the storing nodes will know to whomDell XPS M1730 battery
(which anonymous identity, yet of course not the real world identity) the mail is destined. The original sender can have gone offline long before the mail becomes available on the other side. This adds on the degree of anonymity that can be reached with I2P. Dell Inspiron Mini 12 battery
For those who do not want high delays: All these settings are user-adjustable, so each user decides on how much anonymity he wants.
There is also a simple Qt-based, serverless, end-to-end-encrypted instant messenger for I2P. Hp 2230 Battery
No servers can log your conversations, no ISP can log whom you chat with, when or for how long. It supports filetransfer. As it is serverless, it can make use of I2P's end-to-end encryption, so that there's not a single node between you and your contacts that could read the plain text. Hp cq20 Battery
It can be used for fully anonymous instant communication with persons you don't even know, or alternatively to securely and untraceably communicate with friends, family members or colleagues - without any (governmental) observer being able to monitor who you connect to and when you do this, thus it is a useful tool against data retention in a surveillance society, as well. Hp Pavilion cq72 Battery
There are I2P-internal IRC servers reachable anonymously by pointing your IRC client to the server 127.0.0.1 port 6668 (or your i2p node's ip number and the port you configured for your ircproxy tunnel). In xchat that would be 127.0.0.1/6668. For help join #i2p-help ( irc://127.0.0.1:6668/#i2p-help ). Hp Pavilion cq42 Battery
Syndie is a blogging application for I2P which is also usable through the Tor network; it is currently at an alpha release.
I2P users will see references to the following terms on the I2P home page and on the router console. Hp Pavilion cq62 Battery
Eepsites are websites that are hosted anonymously within the I2P network. Eepsite names end in .i2p, such as ugha.i2p or forum.i2p. EepProxy can locate these sites through the cryptographic identifier keys stored in the hosts.txt file found within the I2P program directory. Hp Pavilion dm4 Battery
Typically, I2P is required to access these eepsites.
The EepProxy program handles all communication between the browser and any eepsite. It functions as a proxy server that can be used by any web browser. Hp Pavilion dm3 Battery
.i2p is a pseudo-top-level domain which is only valid within the I2P overlay network scope. .i2p names are resolved by browsers by submitting requests to EepProxy which will resolve names to an I2P peer key and will handle data transfers over the I2P network while remaining transparent to the browser. Samsung P467 battery
Other machines using I2P that are connected to your machine within the network. Each machine within the network shares the routing and forwarding of encrypted packets. Samsung R522 battery
Every ten minutes, a connection is established between your machine and another peer. Data to and from your machine, along with data for other users, passes through these tunnels, and are forwarded such that the packets eventually reach their final destination.Apple A1281 battery