Web Application Development

Tutorial No: - 1
AIM: - Study of various Protocols:
(1) HTTP (2) SMTP, IMAP, POP3 (3) TELNET (4) FTP with commands
I. HTTP
The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed,
collaborative, hypermedia information systems. HTTP is the foundation of data communication
for the World Wide Web. Hypertext is structured text that uses logical links (hyperlinks) between
nodes containing text. HTTP is the protocol to exchange or transfer hypertext.
HTTP functions as a request-response protocol in the client-server computing model. A web
browser, for example, may be the client and an application running on a computer hosting a web
site may be the server. The client submits an HTTP request message to the server. The server
which provides resources such as HTML files and other content or performs other functions on
behalf of the client returns a response message to the client. The response contains completion
status information about the request and may also contain requested content in its message body.
HTTP is an application layer protocol designed within the framework of the Internet Protocol
Suite. Its definition presumes an underlying and reliable transport layer protocol, and
Transmission Control Protocol (TCP) is commonly used. However HTTP can use unreliable
protocols such as the User Datagram Protocol (UDP), for example in Simple Service Discovery
Protocol (SSDP). HTTP resources are identified and located on the network by Uniform
Resource Identifiers (URIs)or, more specifically, Uniform Resource Locators (URLs)using
the http or https URI schemes. URIs and hyperlinks in Hypertext Markup Language (HTML)
documents form webs of inter-linked hypertext documents.
HTTP Session
An HTTP session is a sequence of network request-response transactions. An HTTP client
initiates a request by establishing a Transmission Control Protocol (TCP) connection to a
particular port on a server (typically port 80). An HTTP server listening on that port waits for a
client's request message. Upon receiving the request, the server sends back a status line, such as
"HTTP/1.1 200 OK", and a message of its own. The body of this message is typically the
requested resource, although an error message or other information may also be returned.
Request methods
HTTP defines methods (sometimes referred to as verbs) to indicate the desired action to be
performed on the identified resource. The HTTP/1.0 specification defined the GET, POST and
HEAD methods and the HTTP/1.1 specification added 5 new methods: OPTIONS, PUT,
DELETE, TRACE and CONNECT. HTTP servers are required to implement at least GET and
HEAD methods and, whenever possible, also the OPTIONS method. Some methods (for

Web Application Development

example, HEAD, GET, OPTIONS and TRACE) are defined as safe, which means they are
intended only for information retrieval and should not change the state of the server.
II.

SMTP

Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail)
transmission across Internet Protocol (IP) networks. It is an Application Layer protocol in the
OSI reference model. While electronic mail servers and other mail transfer agents use SMTP to
send and receive mail messages, user-level client mail applications typically use SMTP only for
sending messages to a mail server for relaying. For receiving messages, client applications
usually use either the Post Office Protocol (POP) or the Internet Message Access Protocol
(IMAP) or a proprietary system (such as Microsoft Exchange or Lotus Notes/Domino) to access
their mail box accounts on a mail server.
Model
Email is submitted by a mail client (MUA, mail user agent) to a mail server (MSA, mail
submission agent) using SMTP on TCP port 587. Most mailbox providers still allow submission
on traditional port 25. From there, the MSA delivers the mail to its mail transfer agent (MTA,
mail transfer agent). The boundary MTA has to locate the target host. It uses the Domain name
system (DNS) to look up the mail exchanger record (MX record) for the recipient's domain (the
part of the email address on the right of @). The returned MX record contains the name of the
target host. The MTA next connects to the exchange server as an SMTP client. Once the MX
target accepts the incoming message, it hands it to a mail delivery agent (MDA) for local mail
delivery. An MDA is able to save messages in the relevant mailbox format. Mail is retrieved by
end-user applications, called email clients, using Internet Message Access Protocol (IMAP), a
protocol that both facilitates access to mail and manages stored mail, or the Post Office Protocol
(POP) which typically uses the traditional mbox mail file format or a proprietary system such as
Microsoft Exchange/Outlook or Lotus Notes/Domino. Webmail clients may use either method,
but the retrieval protocol is often not a formal standard.

Web Application Development

SMTP vs. mail retrieval

SMTP is a delivery protocol only. In normal use, mail is "pushed" to a destination mail server (or
next-hop mail server) as it arrives. Mail is routed based on the destination server, not the
individual user(s) to which it is addressed. Other protocols, such as the Post Office Protocol
(POP) and the Internet Message Access Protocol (IMAP) are specifically designed for use by
individual users retrieving messages and managing mail boxes. To permit an intermittentlyconnected mail server to pull messages from a remote server on demand, SMTP has a feature to
initiate mail queue processing on a remote server (see Remote Message Queue Starting below).
POP and IMAP are unsuitable protocols for relaying mail by intermittently-connected machines;
they are designed to operate after final delivery, when information critical to the correct
operation of mail relay (the "mail envelope") has been removed.

III.

POP

Post Office Protocol (POP) is an application-layer Internet standard protocol used by local
e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. POP and IMAP
(Internet Message Access Protocol) are the two most prevalent Internet standard protocols for email retrieval. Virtually all modern e-mail clients and servers support both. POP has been
developed through several versions, with version 3 (POP3) being the current standard. Most
webmail service providers such as Google Mail, Microsoft Mail and Yahoo! Mail provide both
an IMAP and POP3 service.
POP supports simple download-and-delete requirements for access to remote mailboxes.
Although most POP clients have an option to leave mail on server after download, e-mail clients
using POP generally connect, retrieve all messages, store them on the user's PC as new
messages, delete them from the server, and then disconnect. Other protocols, notably IMAP,
(Internet Message Access Protocol) provide more complete and complex remote access to typical
mailbox operations. Many e-mail clients support POP as well as IMAP to retrieve messages;
however, fewer Internet Service Providers (ISPs) support IMAP. A POP3 server listens on wellknown port 110.
Comparison with IMAP
Clients that leave mail on servers generally use the UIDL command to get the current association
of message-numbers to message identified by its unique identifier. The unique identifier is
arbitrary, and might be repeated if the mailbox contains identical messages. In contrast, IMAP
uses a 32-bit unique identifier (UID) that is assigned to messages in ascending (although not
necessarily consecutive) order as they are received. When retrieving new messages, an IMAP
client requests the UIDs greater than the highest UID among all previously retrieved messages,
whereas a POP client must fetch the entire UIDL map. For large mailboxes, this can require
significant processing. MIME serves as the standard for attachments and non-ASCII text in e-

Web Application Development

mail. Although neither POP3 nor SMTP require MIME-formatted e-mail, essentially all nonASCII Internet e-mail comes MIME-formatted, so POP clients must also understand and use
MIME. IMAP, by design, assumes MIME-formatted e-mail.

IV.

TELNET

Telnet is a network protocol used on the Internet or local area networks to provide a
bidirectional interactive text-oriented communication facility using a virtual terminal connection.
User data is interspersed in-band with Telnet control information in an 8-bit byte oriented data
connection over the Transmission Control Protocol (TCP).
Telnet provided access to a command-line interface (usually, of an operating system) on a remote
host. Most network equipment and operating systems with a TCP/IP stack support a Telnet
service for remote configuration.
Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically,
this protocol is used to establish a connection to Transmission Control Protocol (TCP) port
number 23, where a Telnet server application is listening. Telnet, however, predates TCP/IP and
was originally run over Network Control Program (NCP) protocols.
Security concern
Telnet, by default, does not encrypt any data sent over the connection (including passwords), and
so it is often practical to eavesdrop on the communications and use the password later for
malicious purposes; anybody who has access to a router, switch, hub or gateway located on the
network between the two hosts where Telnet is being used can intercept the packets passing by
and obtain login, password and whatever else is typed with a packet analyzer.
Most implementations of Telnet have no authentication that would ensure communication is
carried out between the two desired hosts and not intercepted in the middle.
Several vulnerabilities have been discovered over the years in commonly used Telnet daemons.
These security-related shortcomings have seen the usage of the Telnet protocol drop rapidly ,
especially on the public Internet, in favor of the Secure Shell (SSH) protocol, first released in
1995. SSH provides much of the functionality of telnet, with the addition of strong encryption to
prevent sensitive data such as passwords from being intercepted, and public key authentication,
to ensure that the remote computer is actually who it claims to be. As has happened with other
early Internet protocols, extensions to the Telnet protocol provide Transport Layer Security
(TLS) security and Simple Authentication and Security Layer (SASL) authentication that address
the above issues. However, most Telnet implementations do not support these extensions; and
there has been relatively little interest in implementing these as SSH is adequate for most
purposes.

Web Application Development

V.

File Transfer Protocol

File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one
host to another host over a TCP-based network, such as the Internet. FTP is built on a clientserver architecture and uses separate control and data connections between the client and the
server. FTP users may authenticate themselves using a clear-text sign-in protocol, normally in the
form of a username and password.
The first FTP client applications were command-line applications developed before operating
systems had graphical user interfaces, and are still shipped with most Windows, Unix, and Linux
operating systems. The original specification for the File Transfer Protocol was written by Abhay
Bhushan and published as RFC 114 on 16 April 1971. Until 1980, FTP ran on NCP, the
predecessor of TCP/IP.

Communication and data transfer

FTP may run in active or passive mode, which determines how the data connection is
established. In active mode, the client creates a TCP control connection. If client is behind a
firewall and it is unable to accept incoming TCP connections, passive mode can be used. In this
mode, the client uses the control connection to send a PASV command to the server and then
receives a server IP address and server port number from the server, which the client then uses to
open a data connection from an arbitrary client port to the server IP address and server port
number received. Both modes were updated in September 1998 to support IPv6.

Login

FTP login utilizes a normal username and password scheme for granting access. The username is
sent to the server using the USER command, and the password is sent using the PASS command.
If the information provided by the client is accepted by the server, the server will send a greeting
to the client and the session will commence. If the server supports it, users may log in without

Web Application Development

providing login credentials, but the same server may authorize only limited access for such
sessions.
NAT and firewall traversal

FTP normally transfers data by having the server connect back to the client, after the PORT
command is sent by the client. This is problematic for both NATs and firewalls, which do not
allow connections from the Internet towards internal hosts. For NATs, an additional complication
is that the representation of the IP addresses and port number in the PORT command refer to the
internal host's IP address and port, rather than the public IP address and port of the NAT.
There are two approaches to this problem. One is that the FTP client and FTP server use the
PASV command, which causes the data connection to be established from the FTP client to the
server. This is widely used by modern FTP clients. Another approach is for the NAT to alter the
values of the PORT command, using an application-level gateway for this purpose.

Web browser support

Most common web browsers can retrieve files hosted on FTP servers, although they may not
support protocol extensions such as FTPS. When an FTPrather than an HTTPURL is
supplied, the accessible contents on the remote server are presented in a manner that is similar to
that used for other Web content. A full-featured FTP client can be run within Firefox in the form
of an extension called FireFTP.

Security
FTP was not designed to be a secure protocolespecially by today's standardsand has many
security weaknesses. In May 1999, the authors of RFC 2577 listed a vulnerability to the
following problems: - Brute force attacks, Bounce attacks, Packet capture (sniffing), Port
stealing, Spoof attacks, Username protection and many more
FTP is not able to encrypt its traffic; all transmissions are in clear text, and usernames,
passwords, commands and data can be easily read by anyone able to perform packet capture
(sniffing) on the network. This problem is common to many of the Internet Protocol
specifications (such as SMTP, Telnet, POP and IMAP) that were designed prior to the creation of
encryption mechanisms such as TLS or SSL. A common solution to this problem is to use the
"secure", TLS-protected versions of the insecure protocols (e.g. FTPS for FTP, TelnetS for
Telnet, etc.) or a different, more secure protocol that can handle the job, such as the SFTP/SCP
tools included with most implementations of the Secure Shell protocol.

Web Application Development

Secure FTP

There are several methods of securely transferring files that have been called "Secure FTP" at
one point or another.

FTPS: - Explicit FTPS is an extension to the FTP standard that allows clients to request that the

FTP session be encrypted. This is done by sending the "AUTH TLS" command. The server has
the option of allowing or denying connections that do not request TLS.
SFTP: - SFTP, the "SSH File Transfer Protocol", is not related to FTP except that it also

transfers files and has a similar command set for users. SFTP, or secure FTP, is a program that
uses Secure Shell (SSH) to transfer files. Unlike standard FTP, it encrypts both commands and
data, preventing passwords and sensitive information from being transmitted openly over the
network. It is functionally similar to FTP, but because it uses a different protocol, standard FTP
clients cannot be used to talk to an SFTP server, nor can one connect to an FTP server with a
client that supports only SFTP.

VI.

PORT

The protocols that primarily use ports are the Transport Layer protocols, such as the
Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) of the Internet
Protocol Suite. A port is identified for each address and protocol by a 16-bit number, commonly
known as the port number. The port number, added to a computer's IP address, completes the
destination address for a communications session. That is, data packets are routed across the
network to a specific destination IP address, and then, upon reaching the destination computer,
are further routed to the specific process bound to the destination port number.
Transport Layer protocols, such as the Transmission Control Protocol (TCP) and the User
Datagram Protocol (UDP), specify a source and destination port number in their packet headers.
A port number is a 16-bit unsigned integer, thus ranging from 1 to 65535 (port number 0 is
reserved and can't be used). The port numbers are divided into three ranges: the well-known
ports, the registered ports, and the dynamic or private ports. The well-known ports are those from
0 through 1023. Examples include:
Port No

Protocol

20 & 21

File Transfer Protocol

22

Secure Shell

Web Application Development

23

Telnet remote login service

25

Simple Mail Transfer Protocol (SMTP)

53

Domain Name System (DNS) service

80

Hypertext Transfer Protocol (HTTP) used in the World Wide Web

110

Post Office Protocol (POP3)

119

Network News Transfer Protocol (NNTP)

143

Internet Message Access Protocol (IMAP)

161

Simple Network Management Protocol (SNMP)

443

HTTP Secure (HTTPS)

465
SMTP Secure (SMTPS)
The registered ports are those from 1024 through 49151. IANA maintains the official list. The
dynamic or private ports are those from 49152 through 65535.

TUTORIAL -1
Answer the following questions: 1. What is HTTP? Briefly explain the reliable and unreliable protocols.
2. What is Http Session and which are the methods defined by http to perform action?
Explain any two methods in brief.
What is SMTP? Explain its model with figure.
What is POP and how can it be compared with IMAP?
Write a brief note on TELNET.
What is FTP? Explain its different types of modes.
Enlist any 12 ftp commands with its functionality.
Does firewall allow the access of port 21? Give reason for your answer.
Explain Secure FTP.
10. What is port number? Enlist different protocols with its port number .
3.
4.
5.
6.
7.
8.
9.