There would be no web without HTTP and no internet without TCP and IP.
If the web itself was the killer app that drove billions of people to access the internet starting in the 1990s, it was largely due to the open standard networking protocols that make it work. Using a web browser to retrieve information from a web server may seem like a simple process, but it requires a full stack of network protocols operating at different network abstraction layers to deliver web content.
Simply put, HTTP -- the Hypertext Transfer Protocol -- is the set of rules defining how a web browser and web server communicate by exchanging requests and responses to those requests. HTTP operates at the application layer of the TCP/IP networking model, meaning it defines the exchange of requests and replies to enable an end user to access data and services from a server. There is no choice to be made when considering TCP/IP vs. HTTP -- both are necessary for the web to work.
Where HTTP refers to a single protocol, TCP/IP names two protocols: the Transmission Control Protocol and the Internet Protocol. However, the acronym is often used to refer to the entire suite of internetworking protocols that use or depend on TCP and IP to operate, including application protocols, such as Telnet/Secure Socket Shell (SSH), File Transfer Protocol and HTTP. While the acronym is often used to refer to just TCP and IP, it can also refer to all the protocols that support or supplement TCP/IP, including IPsec and IPv6.
What are the differences and similarities of TCP/IP vs. HTTP?
When comparing TCP/IP vs. HTTP, the most important similarities are that they are networking protocols that are defined and documented by the Internet Engineering Task Force (IETF) for use on the global public internet. In the case of HTTP, the specification is coordinated by the IETF and the World Wide Web Consortium.
The primary differences of TCP/IP vs. HTTP relate to the abstraction layers at which they operate. An abstraction layer is a method used to obscure the operation of subsystems; in networking, the different network layers serve as abstraction layers to better implement communication between entities at each layer.
HTTP operates at the application layer of the TCP/IP networking model, and it implements communication between a client and a server. HTTP messages are, ultimately, delivered through TCP/IP connections. But the lower layers are obscured, and HTTP itself defines how commands and responses are formatted and delivered. An HTTP exchange might consist of a request from a browser to view content on a particular URL and a response from the server containing the data on the requested webpage.
How does TCP/IP work with HTTP?
The application layer is the highest layer in the TCP/IP model; TCP operates at the transport layer, which enables communication between processes. HTTP depends on TCP to format and deliver the HTTP commands and responses in a form that the web server, which is running as a program on some computer, can understand and a form that the web browser, also running as a program, can use as output to the application layer.
And while TCP mediates communication between processes running on hosts, it is IP itself that makes it possible for transport layer data to be transmitted across the internet for delivery of data between the client and server. IP operates at the network layer, and it defines how network traffic of all types can be exchanged between hosts located anywhere on the global internet.
While HTTP specifies how a browser and a client interact, all application layer protocols depend on protocols at the transport layer, and all transport layer protocols depend on IP. For HTTP, that means protocol messages are incorporated in TCP segments, which, in turn, are encapsulated or wrapped up into IP packets. Other applications may have the option to use either TCP or UDP, the User Datagram Protocol.
Why is TCP used with HTTP?
Internet applications use protocols at every layer of the TCP/IP network model, with protocols at each layer encapsulating the data related to the protocols used in the layer above. All internet applications need to use a transport layer protocol. Interactive internet applications that require guaranteed, in-order delivery of data -- like browsing the web or doing terminal emulation or remote desktop access -- use TCP. Other applications that can operate with simple request/reply interactions -- like DNS -- can use the simpler UDP.
HTTP protocol messages are encapsulated in TCP segments for transmission to the process running the client or server programs; TCP segments are encapsulated in IP packets for delivery by routers across network boundaries to the host running those programs. And IP packets are encapsulated in protocol data units appropriate to the data link or physical layer protocols -- like Ethernet or Wi-Fi -- being used to physically connect the client or server to the network.
The table below shows how some key internet applications use the protocol stack.
Many applications work best using network circuits -- ongoing connections in which transmission is reliable and system state is maintained for the connections -- and get that by using TCP at the transport layer. Circuits enable processes to exchange requests and responses, to manage network transmission performance and to maintain system state, all of which are important for applications to work.
TCP provides a way for processes to communicate through circuits with a reliable protocol, meaning all transmissions must be acknowledged to the sender by the receiving host. This provides confidence that protocol transmissions have been received and processed by the recipient.
A segment is the fundamental protocol data unit used by TCP, and each TCP segment is numbered so that, even when traffic is not delivered in the order in which it was sent, recipients are still able to reproduce the original order of inbound traffic.
While many applications depend on TCP for reliability and responsiveness to transient network performance changes, not all applications require that. Applications that don't need reliability and delivery guarantees generally use UDP at the transport layer. Other protocols provide different solutions for the transport layer, including the Stream Control Transmission Protocol (SCTP), but most network traffic still depends on TCP and UDP.
How do HTTP and HTTPS differ?
The earliest versions of HTTP were developed around 1989 through 1991, when Sir Tim Berners-Lee created them to support exchange of data through the nascent World Wide Web. As with most early internet protocols, HTTP security issues were not addressed in the original application protocol.
However, commercial uses of the internet and web gained traction during the 1990s, and the Netscape Communications Corporation introduced a transport layer protocol called Secure Sockets Layer (SSL) to provide encryption and authentication of web content between clients and servers. SSL was transformative for the early web, as it enabled companies to encrypt credit card transactions and made web commerce possible.
SSL was a proprietary protocol owned by Netscape, but it provided the foundation for the Transport Layer Security (TLS) protocol, the most commonly used internet security protocol. TLS enables hosts to encrypt and decrypt network traffic, providing protection against eavesdroppers and man-in-the-middle attackers.
The HTTP Secure (HTTPS) protocol defines the use of HTTP with TLS to provide encryption of all application layer protocol messages. HTTPS uses the same application layer protocol messages as HTTP, but in addition to using TCP and IP protocols, it also depends on the TLS protocol.
What are the protocol abstraction layers of the TCP/IP and OSI models?
The earliest networks generally used proprietary protocols to enable computers and software to communicate and were generally limited to local networks where all systems were connected over a physical wire. However, applications were also usually limited to sharing resources like disk storage or network printers.
In the 1970s and 1980s, researchers determined that interoperable networking systems and applications would be best achieved by separating network interactions into different abstraction layers. This enabled developers writing applications like terminal emulation to focus on the application itself -- the exchange of requests and responses -- and leave the details of how those requests and responses were delivered to lower layer protocols.
The protocols being developed through the IETF used a pragmatic approach, which broke down network protocols into four layers. In contrast, the OSI network model, crafted roughly in parallel with the TCP/IP model from the IETF, took a more academic approach and defined seven abstraction layers. In practice and in light of nearly 50 years of experience with TCP/IP, four layers seem to be sufficient.
Under the four-layer TCP/IP model, an application layer protocol defines how application requests and application responses are formatted. For example, HTTP defines the GET command, which requests a server to return the information stored at a Uniform Resource Identifier -- a URL is a type of URI. HTTP defines how the server responds to such requests, including a response code and the contents of the URI, if it is available.
But application layer protocol requests and responses must be encapsulated or wrapped up into the protocol data units of lower layer protocols to enable delivery across the global internet. The application protocol messages are encapsulated in a TCP segment, which includes headers that indicate where the message came from and where it is being directed.
TCP segments, in turn, are encapsulated into IP packets, which include headers that point to the host from which the message came, as well as the host to which the message should be routed. And IP packets receive a similar treatment, being encapsulated into physical layer protocol data units every time they move from one physical network to another.
Dig Deeper on Network protocols and standards
Related Q&A from Peter Loshin
Attackers expect incident response strategies and have a plan for when they encounter them. Find out how to take IR to the next level against ... Continue Reading
Internet email was designed independent of security considerations, but these are the top email security protocols that add mechanisms to keep ... Continue Reading
Password spraying isn't a sophisticated attack, but don't discount the attackers if you detect one. Find out how this brute-force technique works and... Continue Reading