The HyperText Transfer Protocol (HTTP) is one of the foundations upon which the World Wide Web is built. HTTP itself has only rudimentary provisions for securing web communications. To amend this situation a working group of the Internet Engineering Task Force (IETF) is currently working to design Secure HTTP (S-HTTP), a protocol that aims to bring security mechanisms to HTTP servers and clients.
S-HTTP is designed to be flexible and to be able to make use of a wide variety of cryptographic algorithms and working modes. Exactly what protection (integrity, signing, confidentiality) is used for a connection is determined by an automated negotiation processes that takes its input from user preferences and what capabilities are present in the client and server.
The basic working mode of S-HTTP is to encapsulate an ordinary HTTP message within an S-HTTP message. An S-HTTP message consists of a number of S-HTTP specific headers that state which security enhancements have been applied to the message. This information is necessary for the recipient to successfully retrieve the original HTTP message. The HTTP message itself is signed and/or encrypted as required. A client that receives an S-HTTP message first reverses any encryption and performs a check of message signatures. If successful, the encapsulated HTTP message is extracted and passed to the browser.
S-HTTP is not restricted to transfer HTTP messages; any message type might be encapsulated.