The HTTP crash course nobody asked for

by g0xA52A2Aon 10/20/2022, 8:58:54 PM with 26 comments
  • by Joker_vDon 10/21/2022, 9:33:47 AM

    > HTTP/1.1 is a delightfully simple protocol, if you ignore most of it.

    As someone who had to write a couple of proxy servers, I can't express how so sadly accurate it is.

  • by Donckeleon 10/21/2022, 8:57:06 AM

    “By contrast, I think about Bluetooth a lot. I wish I didn't.”

    LOL, yes same here. Can’t wait for Bluetooths b̶a̶l̶l̶s̶ baggage to be chopped.

  • by leinadhoon 10/21/2022, 12:34:54 PM

    The humorous style is very refreshing, if only my networking lecturers had been more witty I might remember more of this

  • by X-Istenceon 10/21/2022, 2:31:17 PM

    > This is not the same as HTTP pipelining, which I will not discuss, out of spite.

    That is cause HTTP pipelining was and is a mistake and is responsible for a ton of http request smuggling vulnerabilities because the http 1.1 protocol has no framing.

    No browser supports it anymore, thankfully.

  • by yfiapoon 10/21/2022, 12:48:51 PM

    > We're not done with our request payload yet! We sent:

    > Host: neverssl.com

    > This is actually a requirement for HTTP/1.1, and was one of its big selling points compared to, uh...

    > AhAH! Drew yourself into a corner didn't you.

    > ...Gopher? I guess?

    I feel like the author must know this.. HTTP/1.0 supported but didn't require the Host header and thus HTTP/1.1 allowed consistent name-based virtual hosting on web servers.

    I did appreciate the simple natures of the early protocols, although it is hard to argue against the many improvements in newer protocols. It was so easy to use nc to test SMTP and HTTP in particular.

    I did enjoy the article's notes on the protocols however the huge sections of code snippets lost my attention midway.

  • by I_complete_meon 10/21/2022, 9:13:24 AM

    That was an excellent, well-written, well-thought out, well presented, interesting, humorous, enjoyable read. Coincidentally I recently did a Rust crash course so it all made perfect sense - I am not an IT pro. Anyhows, thanks.

  • by Andyson 10/21/2022, 9:11:34 AM

    I learned HTTP1 pretty well but not much of 2.

    Since playing with QUIC, I've lost all interest in learning HTTP/2, it feels like something already outdated that we're collectively going to skip over soon.

  • by Icathianon 10/21/2022, 12:58:51 PM

    Amos' writing style is just so incredibly good. I don't know anyone else doing these very long-form, conversational style articles.

    Plus, you know, just an awesome dev who knows his stuff. Huge fan.

  • by jupedon 10/21/2022, 7:29:14 AM

    If you're using OpenBSD nc already, just use nc -c for TLS.

  • by photochemsynon 10/21/2022, 1:32:52 PM

    What a great overall site. Hopping down the links I found the section on files with code examples in JS, Rust and C, plus strace, really the best short explanation I've ever found online.

    https://fasterthanli.me/series/reading-files-the-hard-way/pa...

  • by rpigabon 10/21/2022, 2:00:00 PM

    This is awesome, didn't read all of it yet, but I will for sure, I use HTTP way too much and too often to ignore some of these underlying concepts, and when I try to look it up, there's always way too much abstraction and the claims aren't proven to me with a simple example, and this article is full of simple examples. Thanks Amos!

  • by eston 10/21/2022, 7:21:10 AM

    I hope there's a h2 or TLS crash course.

  • by antonvson 10/21/2022, 9:04:27 PM

    > Where every line ends with \r\n, also known as CRLF, for Carriage Return + Line Feed, that's right, HTTP is based on teletypes, which are just remote typewriters

    Does it need to be pointed out that this is complete bullshit?

  • by sireaton 10/21/2022, 10:20:41 AM

    Is HTTP always the same protocol as HTTPS - given the same version - and ignoring the encryption from TLS?

    Theoretically yes, but in practice?

    I've done my share of nc testing even simpler protocols than HTTP/1.1

    For some reason the migration to HTTPS scared me despite the security assurances. I could not see anything useful in wireshark anymore. I now had to trust one more layer of abstraction.

  • by mannyvon 10/23/2022, 3:37:35 AM

    As far as i can tell the host header is pointless, because if it's ssl/tls you won't be able to read it and route it. That's what sni is for. If you aren't tls then you don't need it, unless you hit the server as an ip. But then why would you do that?

  • by mahdi7d1on 10/21/2022, 11:59:10 AM

    I didn't ask but I needed it.

  • by mannyvon 10/23/2022, 3:39:08 AM

    Also, never trust the content length. It's been that way since before http was finalized. Use it as guidance, but don't treat it as canonical.

  • by mannyvon 10/23/2022, 3:32:06 AM

    When doing http by hand, it's better to do http/1.0 because that tells the server you (and it) can't do anything exciting.

  • by mustak_imon 10/21/2022, 10:46:02 AM

    Yay! this is going to be a great read for the weekend!

  • by danesparzaon 10/21/2022, 2:32:22 PM

    More articles should be written in the style of this article. Thank you for this.

  • by tinglymintyfrshon 10/22/2022, 1:25:59 AM

        GET / HTTP/1.0\r\n\r\n
    Still works with many websites.

  • by mlindneron 10/21/2022, 7:52:26 PM

    Is there a way to get this guide without the annoying side-commentary?

  • by tomcamon 10/21/2022, 7:57:34 AM

    Funny and very helpful. Thank you.

  • by cph123on 10/21/2022, 12:20:54 PM

    For a crash course would the code examples have been better in something like Python rather than Rust?

  • by tmountainon 10/21/2022, 1:23:43 PM

    This is gold.

  • by raydiatianon 10/21/2022, 7:58:18 AM

    undefined