SSL and HTTP

Notes:

So now we understand how SSL works, where does it fit into the overall scheme of things, and in particular, how does it relate to HTTP to give us secure web transactions?
SSL itself is a protocol which fits between TCP/IP and the “application” protocol, such as HTTP. It is thus possible to use it with other applications, such as news (NNTP) and mail (SMTP). The only thing needed is for both ends to run SSL so that they can talk to each other. This is exactly the same as saying that both ends must be talking over TCP/IP; it is possible to talk HTTP over IPX, or any other protocol, but if one end is talking over IPX whilst the other is talking over IP, the two will not be able to communicate.
To differential SSL over HTTP a different port (443) is used. Other application protocols will also use different ports to their well known ports. In order to tell the browser to send over a different port, we use a different protocol specifier (called the scheme) in the URL – that is: https instead of http. At the application level the protocol is identical, but this helps to prevent accidents such as sending the credit card details in clear text to the normal port 80.
Part of any HTTP transaction is the specification of the document to be retrieved (the URL). Since the entire HTTP conversation takes place over SSL, then even the URL will be encrypted as it crosses the network. This is an important feature in some secure environments, where the knowledge of the very existence of a resource is only passed on, on a need-to-know basis.