S-HTTP (Secure HTTP) is a process that protects HTTP transactions and is based on an improvement to the HTTP protocol that was made in 1994 by EIT (Enterprise Integration Technologies). It makes it possible to establish a secure connection for e-commerce transactions by encrypting messages to guarantee customers that their bank card numbers and other personal information will remain confidential. One implementation of S-HTTP was developed by the company Terisa Systems to include a secure connection on web servers and browsers.
Unlike SSL, which works on transport layers, S-HTTP guarantees message-based security using the HTTP protocol, by individually marking HTML documents with certificates. Whereas SSL is independent of the application used and encrypts all of the communication, S-HTTP is closely related to the HTTP protocol and individually encrypts each message.
S-HTTP messages are based on three components:
As such, to decrypt an S-HTTP message, the message's recipient analyzes the message's headers to determine the type of method that was used to encrypt the message. Then, based on his current and past cryptographic preferences and on the sender's past cryptographic preferences, he is able to decrypt the message.
When SSL and S-HTTP were competitors, many people realized that the two security protocols were complementary, given that they do not work at the same level. SSL guarantees a secure internet connection whereas S-HTTP guarantees secure HTTP exchanges.
As a result, the company Terisa Systems, specialized in network protection, made of RSA Data Security and EIT, developed a development kit making it possible for developers to develop Web servers implementing SSL and S-HTTP (SecureWeb Server Toolkit), as well as Web clients using these protocols (SecureWeb Client Toolkit).