-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.html
1026 lines (989 loc) · 51.1 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<!-- Slides from Google (slides.html5rocks.com) cleaned up for new presentations
Copyright 2011 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Original slides: Marcin Wichary (mwichary@google.com)
Modifications: Chrome DevRel Team (chrome-devrel@googlegroups.com)
Alex Russell (slightlyoff@chromium.org)
Brad Neuberg
-->
<html manifest="cache.appcache">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge;chrome=1" />
<title>Présentation de HTTP</title>
<link href="http://fonts.googleapis.com/css?family=Droid+Sans|Droid+Sans+Mono" rel="stylesheet" type="text/css" />
<link id="prettify-link" href="src/prettify/prettify.css" rel="stylesheet" disabled />
<link href="css/moon.css" class="theme" rel="stylesheet" />
<link href="css/sand.css" class="theme" rel="stylesheet" />
<link href="css/sea_wave.css" class="theme" rel="stylesheet" />
<link href="css/default.css" class="theme" rel="stylesheet" media="screen" />
<style>
.slide h2 { font-size: 2em; }
a { color: #654; text-decoration: underline; border-bottom: none; }
li { font-size: 1.4em; padding: 5px 0; }
abbr { border-bottom: 1px dashed #654; }
section { margin: 2em 2em 0 2em }
ol li { list-style: decimal inside; }
ul li { list-style: square outside; }
pre { overflow-x: auto; }
pre.client { background: url("imgs/computer.png") no-repeat 98% 10px, #EADDE8; }
pre.server { background: url("imgs/server_lightning.png") no-repeat 98% 10px, #EADDE8; }
kbd { white-space: pre; }
</style>
</head>
<body>
<div class="presentation">
<div id="presentation-counter">Loading...</div>
<div class="slides">
<div class="slide" id="landing-slide">
<style scoped>
#landing-slide p { font-size: 35px; }
p#disclaimer-message { font-size: 20px; }
</style>
<section class="middle">
<p>Cette présentation est un site en HTML5</p>
<p>Appuyez sur <span id="left-init-key" class="key">→</span> pour avancer.</p>
</section>
</div>
<div class="slide" id="controls-slide">
<style scoped>
#controls-slide li, #controls-slide p { font-size: 35px; }
</style>
<section>
<p>Contrôles :</p>
<ul>
<li><span class="key">←</span> et <span class="key">→</span> pour vous déplacer.</li>
<li><span class="key">Ctrl/Command</span> et <span class="key">+</span> ou <span class="key">-</span> pour zoomer.</li>
<li><span class="key">T</span> pour changer le thème.</li>
<li><span class="key">H</span> pour changer le surlignage de la syntaxe.</li>
</ul>
</section>
</div>
<div class="slide" id="title-slide">
<style scoped>
#title-slide h1, #title-slide h2 { color: black; }
#title-slide h1 { letter-spacing: -2px; font-size: 70px; }
#title-slide h2 { margin-top: 1em; font-size: 36px; color: #665544; }
</style>
<section class="middle">
<hgroup>
<h1>HTTP</h1>
<h2>Hypertext Transfer Protocol</h2>
<h3>Grégory Paul - <a href="http://paulgreg.me" title="Portfolio">paulgreg.me</a></h3>
<a href="http://www.valtech.fr/" title="Se rendre sur le site de Valtech France"><img src="imgs/valtech-logo.png" title="" alt="valtech_"></a>
</hgroup>
</section>
</div>
<div class="slide" id="summary-slide">
<style scoped>
#summary-slide ol { column-count: 2; }
</style>
<section>
<h2>Sommaire</h2>
<ol>
<li>Vue d’ensemble
<li>La petite histoire...
<li>Versions 0.9, 1.0. 1.1
<li>URI, URL, URN
<li>Verbes
<li>Codes de retour
<li>Cookies
<li>Négociation de contenu
<li>Plage de réponse et réponse partielle
<li>Cache
<li>Authentification
<li>SSL/TLS
<li>Extensions (WebDAV,...)
<li>SPDY et HTTP 2.0
<li>Outils
</ol>
</section>
</div>
<div class="slide" id="overview-title-slide">
<section class="middle">
<h2>Vue d’ensemble</h2>
</section>
</div>
<div class="slide" id="overview-model-slide">
<section>
<h2>Modèle OSI</h2>
<p class="center"><img src="https://docs.google.com/drawings/pub?id=13JohKX0LOXs74gu-DB8gKaSY_OIB050vX14_lKBp_HQ&w=574&h=448" title="Couches réseau" alt="Couches réseau" /></p>
</section>
</div>
<div class="slide" id="network-diagram-slide">
<section>
<h2>Illustration</h2>
<p class="center"><img src="https://docs.google.com/drawings/pub?id=1ggKV4njxl4zbp3ASytetj2zgf2jM22acs5B1XZOoU24&w=960&h=720" title="Diagramme réseau HTTP" alt="Diagramme réseau HTTP" /></p>
</section>
</div>
<div class="slide" id="overview-example-slide">
<section>
<h2>HTTP à la main</h2>
<pre>➜ ~ ping www.google.fr
PING www.google.fr (74.125.230.247) 56(84) bytes of data.
...
^C
➜ ~ telnet 74.125.230.247 80
Trying 74.125.230.247...
Connected to 74.125.230.247.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.google.fr
HTTP/1.1 200 OK
Date: Fri, 02 Dec 2011 15:03:11 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 4386
Set-Cookie: ...
Server: gws
<!doctype html><html><head>...</pre>
</section>
</div>
<div class="slide" id="overview-live-http-headers-example-slide">
<section>
<h2>Avec des outils : <a href="http://livehttpheaders.mozdev.org/">Live HTTP Headers</a> ou <a href="https://addons.mozilla.org/en-US/firefox/addon/httpfox/">HttpFox</a></h2>
<p><img src="imgs/livehttpheaders.png" style="border:1px solid black; width: 800px;" alt="LiveHTTPHeaders" title="LiveHTTPHeadesr" /></p>
</section>
</div>
<div class="slide" id="request-diagram-slide">
<section>
<h2>Séquence</h2>
<p class="center"><img src="https://docs.google.com/drawings/pub?id=1Q_bxxPigoJG1iQlL8lBQOjzv-zqw7UiSd05Q8z3gnuE&w=880&h=600" title="Diagramme requête HTTP" alt="Diagramme requête HTTP" /></p>
</section>
</div>
<div class="slide" id="intro-title-slide">
<section class="middle">
<h2>La petite histoire...</h2>
</section>
</div>
<div class="slide" id="story-slide">
<section>
<h2>La petite histoire...</h2>
<ul>
<li>En 1989, au <abbr title="Conseil Européen pour la Recherche Nucléaire">CERN</abbr>,
<li><a href="http://www.w3.org/People/Berners-Lee/">Tim Berners-Lee</a> et <a href="http://www.robertcailliau.eu/Welcome-en.html">Robert Cailliau</a>
<li>propose un système hypertexte
<li>bâti sur <abbr title="Transmission Control Protocol">TCP</abbr>/<abbr title="Internet Protocol">IP</abbr>.
<li>En 1991, devient HTTP/0.9
<li>En 1993, le <abbr title="National Center for Supercomputing Applications">NCSA</abbr> créé <a href="ftp://ftp.ncsa.uiuc.edu/Mosaic/">Mosaic</a> et <a href="http://httpd.apache.org/ABOUT_APACHE.html">HTTPd</a>
<li>En 1996, <a href="http://tools.ietf.org/html/rfc1945"><abbr title="Request for comment">RFC</abbr> 1945</a> : HTTP/1.0
<li>En 1997, <a href="http://tools.ietf.org/html/rfc2068">RFC 2068</a> : HTTP/1.1
<li>En 2000, <a href="http://www.ics.uci.edu/~fielding/">Roy Fielding</a> publie sa thèse <a href="http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm">Architectural Styles and the Design of Network-based Software Architectures</a><br>(<a href="http://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm"><abbr title="Representational state transfer">REST</abbr></a>)
<li><a href="http://www.w3.org/Protocols/">19 révisions</a> de HTTP/1.1 entre 2007 et 2012,
<li>En 2009, Google <a href="http://googleresearch.blogspot.com/2009/11/2x-faster-web.html">propose</a> <a href="http://www.chromium.org/spdy">SPDY</a>,
<li>En 2012, le groupe de travail <a href="https://tools.ietf.org/wg/httpbis/">httpbis</a> de l’<a href="https://ietf.org/"><abbr title="Internet Engineering Task Force">IETF</abbr></a> planche sur HTTP 2.0
</ul>
</section>
</div>
<div class="slide" id="URI-URL-URN-title-slide">
<section class="middle">
<h2>(URI / URL / URN)</h2>
</section>
</div>
<div class="slide" id="URI-URL-URN-slide">
<section>
<h2>URI / URL / URN</h2>
<img width="200" src="imgs/URI-URL-URN.svg" style="float: left; margin: .5em 2em 0 0" alt="URN / URL / URI" title="URN / URL / URI" />
<p>Une <abbr title="Uniform Resource Identifier">URI</abbr> identifie.</p>
<p>Une <abbr title="Uniform Resource Locator">URL</abbr> identifie et localise.</p>
<p>une <abbr title="Uniform Resource Name">URN</abbr> identifie et nomme.</p>
<h3>URLs :</h3>
<ul>
<li>mailto:someone@example.com
<li>http://www.damnhandy.com/
<li>file:///home/someuser/somefile.txt
</ul>
<h3>URNs :</h3>
<ul>
<li>urn:mpeg:mpeg7:schema:2001urn:isbn:0451450523
<li>urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C
<li>urn:uuid:6e8bc430-9c3a-11d9-9669-0800200c9a66
</ul>
</section>
</div>
<div class="slide" id="versions-details-title-slide">
<section class="middle">
<h2>HTTP 0.9, 1.0 et 1.1</h2>
</section>
</div>
<div class="slide" id="http-0-9-slide">
<section>
<h2>HTTP 0.9</h2>
<ul>
<li>n’est <strong>pas</strong> un standard
<li>n’est pas figé, constantes évolutions
<li>en cours de développement dans les années 91~95
<li>un seul verbe : GET
<li>port 80 par défaut
<li>introduit le concept d’URI
<li>introduit le code de retour (status code)
<li>puis l’entête content-type
<li>sans état...
<li>mais les cookies apparaissent par <a href="http://www.montulli.org/lou">Lou Montulli</a> en 94 pour une boutique d’ecommerce
</ul>
</section>
</div>
<div class="slide" id="http-1-0-slide">
<section>
<h2>HTTP 1.0</h2>
<ul>
<li>en 1996, <a href="http://tools.ietf.org/html/rfc1945"><abbr title="Request for comment">RFC</abbr> 1945</a>
<li>verbe GET, POST, HEAD mais aussi PUT, DELETE, LINK, UNLINK
<li>standardisation des entêtes, du formatage des réponses, des codes d’erreurs
<li>cache côté client via les en‐têtes <code>Last-modified</code>, <code>Pragma</code>, <code>Expires</code> et la compression
</ul>
</section>
</div>
<div class="slide" id="http-1-1-slide">
<section>
<h2>HTTP 1.1</h2>
<ul>
<li>En 1997, <a href="http://tools.ietf.org/html/rfc2068"><abbr title="Request for comment">RFC</abbr> 2068</a> : HTTP/1.1
<li>OPTIONS, CONNECT et TRACE (<del>LINK</del>, <del>UNLINK</del>)
<li>en-tête <code>Host</code> obligatoire <small>(permettant plusieurs sites web depuis une même IP)</small>
<li>négociation de contenu et de langage (<code>Accept</code>, <code>Accept-Language</code>, <code>Accept-Charset</code>)<small>, un pas en avant vers REST</small>
<li><img src="imgs/pipeline.png" alt="HTTP Pipelining" style="float:right; width:400px; border: 1px solid black;" /><code>Connection: keep-alive</code> permettant le pipelining
<li>découpe de la réponse en plusieurs morceaux via <code>Transfer-Encoding: chunked</code> <small>(un exemple est l’usage "temps réel" tel que les premiers chats)</small>
<li><a href="http://www.w3.org/Protocols/">19 révisions</a> entre 2007 et 2012 et des ajouts divers tels que <a href="http://www.w3.org/TR/CSP/">Content Security Policy</a>
</ul>
</section>
</div>
<div class="slide" id="verbs-title-slide">
<section class="middle">
<h2>Verbes</h2>
</section>
</div>
<div class="slide" id="verbs-slide">
<style scoped>
#verbs-slide .used span { font-weight: bold; }
#verbs-slide span:after { color: #654; margin-left: .5em; font-size: .7em; vertical-align: super; font-weight: normal; }
#verbs-slide .idempotent span:after { content: "idempotent"; }
#verbs-slide .safe.idempotent span:after { content: "safe, idempotent"; }
</style>
<section>
<h2>Verbes</h2>
<ul>
<li class="safe idempotent used"><span>GET</span> : récupération d’une ressource
<li class="safe idempotent used"><span>HEAD</span> : seulement les entêtes
<li class="used"><span>POST</span> : soumission d’un formulaire / modification d’une ressource
<li class="idempotent used"><span>PUT</span> : création d’une ressource
<li class="idempotent used"><span>DELETE</span> : suppression d’une ressource
<li class="safe idempotent"><span>TRACE</span> : echo de la requête
<li class="safe idempotent"><span>OPTIONS</span> : Capacités du serveur
<li class=""><span>CONNECT</span> : SSL/TLS pour les proxies
<li class=""><span>PATCH</span> : modification partielle <small>(<a href="https://tools.ietf.org/html/rfc5789">RFC 5789</a>, mai 2010)</small>
</ul>
</section>
</div>
<div class="slide" id="status-code-title-slide">
<section class="middle">
<h2>Code de retour (status code)</h2>
</section>
</div>
<div class="slide" id="status-code-slide">
<style scoped>
#status-code-slide ul > li > ul {
max-height: 90px; overflow-y: auto;border: 1px dotted #654;
font-size: 10px; column-count: 2;
}
#status-code-slide ul > li > ul > li { padding: 0; }
</style>
<section>
<h2><a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html">Codes de retour</a></h2>
<ul>
<li class="100">1xx Informational (3)
<ul>
<li>100 Continue
<li>101 Switching Protocols
<li>102 Processing (<a href="/wiki/WebDAV" title="WebDAV">WebDAV</a>; RFC 2518)
</ul>
<li class="200">2xx Success (10)
<ul>
<li>200 OK
<li>201 Created
<li>202 Accepted
<li>203 Non-Authoritative Information (since HTTP/1.1)
<li>204 No Content
<li>205 Reset Content
<li>206 Partial Content
<li>207 Multi-Status (WebDAV; RFC 4918)
<li>208 Already Reported (WebDAV; RFC 5842)
<li>226 IM Used (RFC 3229)
</ul>
<li class="300">3xx Redirection (9)
<ul>
<li>300 Multiple Choices
<li><a href="https://en.wikipedia.org/wiki/HTTP_301" title="HTTP 301">301 Moved Permanently</a>
<li><a href="https://en.wikipedia.org/wiki/HTTP_302" title="HTTP 302">302 Found</a>
<li><a href="https://en.wikipedia.org/wiki/HTTP_303" title="HTTP 303">303 See Other</a> (since HTTP/1.1)
<li>304 Not Modified
<li>305 Use Proxy (since HTTP/1.1)
<li>306 Switch Proxy
<li>307 Temporary Redirect (since HTTP/1.1)
<li>308 Permanent Redirect (approved as experimental)
</ul>
<li class="400">4xx Client Error (38)
<ul>
<li>400 Bad Request
<li>401 Unauthorized
<li>402 Payment Required
<li><a href="https://en.wikipedia.org//wiki/HTTP_403" title="HTTP 403">403 Forbidden</a>
<li><a href="https://en.wikipedia.org//wiki/HTTP_404" title="HTTP 404">404 Not Found</a>
<li>405 Method Not Allowed
<li>406 Not Acceptable
<li>407 Proxy Authentication Required
<li>408 Request Timeout
<li>409 Conflict
<li>410 Gone
<li>411 Length Required
<li>412 Precondition Failed
<li>413 Request Entity Too Large
<li>414 Request-URI Too Long
<li>415 Unsupported Media Type
<li>416 Requested Range Not Satisfiable
<li>417 Expectation Failed
<li>418 I'm a teapot (RFC 2324)
<li>420 Enhance Your Calm (Twitter)
<li>422 Unprocessable Entity (WebDAV; RFC 4918)
<li>423 Locked (WebDAV; RFC 4918)
<li>424 Failed Dependency (WebDAV; RFC 4918)
<li>424 Method Failure (<a href="https://en.wikipedia.org//wiki/WebDAV" title="WebDAV">WebDAV</a>)
<li>425 Unordered Collection (Internet draft)
<li>426 Upgrade Required (RFC 2817)
<li>428 Precondition Required (<a class="external mw-magiclink-rfc" href="//tools.ietf.org/html/rfc6585">RFC 6585</a>)
<li>429 Too Many Requests (<a class="external mw-magiclink-rfc" href="//tools.ietf.org/html/rfc6585">RFC 6585</a>)
<li>431 Request Header Fields Too Large (<a class="external mw-magiclink-rfc" href="//tools.ietf.org/html/rfc6585">RFC 6585</a>)
<li>444 No Response (Nginx)
<li>449 Retry With (Microsoft)
<li>450 Blocked by Windows Parental Controls (Microsoft)
<li>451 Unavailable For Legal Reasons (Internet draft)
<li>494 Request Header Too Large (Nginx)
<li>495 Cert Error (Nginx)
<li>496 No Cert (Nginx)
<li>497 HTTP to HTTPS (Nginx)
<li>499 Client Closed Request (Nginx)
</ul>
<li class="500">5xx Server Error (14)
<ul>
<li>500 Internal Server Error
<li>501 Not Implemented
<li>502 Bad Gateway
<li>503 Service Unavailable
<li>504 Gateway Timeout
<li>505 HTTP Version Not Supported
<li>506 Variant Also Negotiates (RFC 2295)
<li>507 Insufficient Storage (WebDAV; RFC 4918)
<li>508 Loop Detected (WebDAV; RFC 5842)
<li>509 Bandwidth Limit Exceeded (Apache bw/limited extension)
<li>510 Not Extended (RFC 2774)
<li>511 Network Authentication Required (<a class="external mw-magiclink-rfc" href="//tools.ietf.org/html/rfc6585">RFC 6585</a>)
<li>598 Network read timeout error (Unknown)
<li>599 Network connect timeout error (Unknown)
</ul>
</ul>
</section>
</div>
<div class="slide" id="cookie-title-slide">
<section class="middle">
<h2>Les Cookies</h2>
<a href="http://www.instructables.com/id/HTTP-Sugar-Cookies/"><img src="http://www.instructables.com/files/deriv/FWM/8RMH/GX82ORQY/FWM8RMHGX82ORQY.LARGE.jpg" width="600" alt="" title="Image from http://www.instructables.com/id/HTTP-Sugar-Cookies/" /></a>
</section>
</div>
<div class="slide" id="cookie-example-slide">
<section>
<h2>Les Cookies : exemple</h2>
<pre class="client">GET / HTTP/1.1
Host: www.exemple.org
...</pre>
<pre class="server">HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: name=value
...</pre>
<pre class="client">GET /page.html HTTP/1.1
Host: www.exemple.org
Cookie: name=value
...</pre>
</section>
</div>
<div class="slide" id="cookie-details-slide">
<section>
<h2>Les Cookies</h2>
<ul>
<li>Défini pour un nom de domaine complet par défaut <small>(www.domain.com)</small>
<li>limité à 20 cookies par domaine, d’environ 4000 caractères
<li>Envoyé à chaque requête <small>(html, JS, Ajax, images, etc)</small>
<li>Cookie = contenu personalisé = pas de cache
<li>D’où l’intérêt de servir les ressources communes <small>(images, css, js)</small> depuis un autre sous-domaine <small>(static.domain.com)</small>
<li>Cookie de session
<li>Cookie chiffré
<li>Entête <a href="https://fr.wikipedia.org/wiki/P3P"><abbr title="Platform for Privacy Preferences">P3P</abbr></a>
<li>Entête <a href="https://fr.wikipedia.org/wiki/Do_Not_Track"><abbr title="Do Not Track">DNT</abbr></a>
</ul>
</section>
</div>
<div class="slide" id="cookie-first-third-party-slide">
<section>
<h2>Les Cookies</h2>
<ul>
<li>Cookie "first/third party"
</ul>
<p align="center"><img src="https://docs.google.com/drawings/pub?id=1ZGi5Yuf_PmyIrP_WoxAjnq2NdQUg3H3TMpXVJFiP0Hw&w=430&h=399" title="First / third party cookie" alt=""/></p>
</section>
</div>
<div class="slide" id="cookie-details-2-slide">
<section>
<h2>Les Cookies : attributs facultatifs</h2>
<ul>
<li>un nom de domaine <small>(pour permettre le "cross-subdomain")</small>,
<li>un chemin,
<li>date d'expiration <small>(sans, le cookie est supprimé lorsque le navigateur est fermé)</small>,
<li>type de connexion prévu <small>(chiffrée ou non)</small>,
<li>type d’accès <small>(HTTP seul ou aussi via JS)</small>.
</ul>
<h3>Exemples</h3>
<pre class="server">Set-Cookie: LSID=DQAAAK…Eaem_vYg; Domain=docs.foo.com; Path=/accounts; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly</pre>
<pre class="server">Set-Cookie: HSID=AYQEVn….DKrdst; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; HttpOnly</pre>
<pre class="server">Set-Cookie: SSID=Ap4P….GTEq; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly</pre>
</section>
</div>
<div class="slide" id="cookie-security-demo-slide">
<section class="middle">
<h2>Les Cookies : Sécurité</h2>
</section>
</div>
<div class="slide" id="cookie-security-slide">
<section>
<h2>Vol de cookie (cookie hijacking)</h2>
<h3>À la main</h3>
<p>Démo sur <a href="http://blog.valtech.fr/wp-login">blog.valtech.fr</a> avec <a href="http://livehttpheaders.mozdev.org/">LiveHTTPHeaders</a> et telnet</p>
<h3>Via Firesheep</h3>
<p><a href="http://codebutler.com/firesheep?c=1"><img src="imgs/firesheep.png" alt="Firesheep" title="Firesheep" /></a></p>
<h2>Forge de cookie</h2>
</section>
</div>
<div class="slide" id="content-negociation-title-slide">
<section class="middle">
<h2>Négociation de contenu</h2>
</section>
</div>
<div class="slide" id="content-negociation-basics-slide">
<section>
<h2>Négociation de contenu</h2>
<h3>Navigateur demandant une page web</h3>
<pre class="client">GET / HTTP/1.1
Host: www.exemple.org
Accept: text/html; q=1.0, text/*; q=0.8, image/gif; q=0.6, image/jpeg; q=0.6, image/*; q=0.5, */*; q=0.1
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate
Accept-Language: fr-FR; q=1.0, en; q=0.5
... </pre>
<pre class="server">HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Length: 25719
Content-type: text/html; charset=UTF-8
Content-Language: en-US
...</pre>
</section>
</div>
<div class="slide" id="content-negociation-slide">
<section>
<h2>Négociation de contenu</h2>
<h3>Client d’API REST</h3>
<pre class="client">GET /shops/all/address HTTP/1.1
Host: www.exemple.org
Accept: application/json; q=1.0, text/xml; q=0.8
Accept-Charset: ISO-8859-1,utf-8; q=0.7, *; q=0.3
Accept-Encoding: gzip,deflate
Accept-Language: fr-FR; q=1.0, en; q=0.5
... </pre>
<pre class="server">HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Length: 25719
Content-type: application/json; charset=utf-8
Content-Language: en-US
...</pre>
</section>
</div>
<div class="slide" id="partial-request-title-slide">
<section class="middle">
<h2>Requête et réponse partielle</h2>
</section>
</div>
<div class="slide" id="partial-request-slide">
<section>
<h2>Requête et réponse partielle</h2>
<pre class="client">HEAD /2390/2253727548_a413c88ab3_s.jpg HTTP/1.1
Host: farm3.static.flickr.com</pre>
<pre class="server">HTTP/1.0 200 OK
Date: Mon, 05 May 2008 00:33:14 GMT
Server: Apache/2.0.52 (Red Hat)
Accept-Ranges: bytes
Content-Length: 3980
Content-Type: image/jpeg</pre>
<pre class="client">GET /2390/2253727548_a413c88ab3_s.jpg HTTP/1.1
Host: farm3.static.flickr.com
Range: bytes=0-999</pre>
<pre class="server">HTTP/1.0 206 Partial Content
Date: Mon, 05 May 2008 00:36:57 GMT
Server: Apache/2.0.52 (Red Hat)
Accept-Ranges: bytes
Content-Length: 1000
Content-Range: bytes 0-999/3980
Content-Type: image/jpeg
...</pre>
</section>
</div>
<div class="slide" id="cache-title-slide">
<section class="middle">
<h2>Cache</h2>
</section>
</div>
<div class="slide" id="cache-in-action-slide">
<section>
<h2>Cache : En Action</h2>
<h3>Chargement initial, sans cache :</h3>
<img src="imgs/twitter-1.png" alt="First twitter load" title="First twitter load" />
<h3>Rechargement de la même page :</h3>
<img src="imgs/twitter-2.png" alt="Second twitter load" title="Second twitter load" />
</section>
</div>
<div class="slide" id="cache-type-slide">
<section>
<h2>Cache : Introduction</h2>
<h3>Qui ?</h3>
<ul>
<li>Navigateur / Client
<li>Proxy <small>(squid, équipement réseau/"network appliance")</small>
<li>Reverse-proxy <small>(squid, varnish, etc)</small>
<li><abbr title="Content Delivery Network">CDN</abbr> <small>(Akamai, Amazon Cloud Front, ...)</small>
</ul>
<h3>2 types :</h3>
<ul>
<li>Cache privé
<li>Cache public
</ul>
<h3>Définitions :</h3>
<ul>
<li>Revalidation
<li>Cache hit
<li>Cache miss
</ul>
</section>
</div>
<div class="slide" id="cache-date-expires-slide">
<section>
<h2>Cache : Date et Expires</h2>
<pre class="server">Date:Tue, 04 Sep 2012 09:24:26 GMT
Expires: Thu, 01 Dec 1994 16:00:00 GMT</pre>
<ul>
<li><code>Date</code> obligatoire !
<li><code>Expires > now()</code> : caché jusqu’à la date indiquée puis revalidation
<li><code>Expires == now()</code> : caché mais revalidation à la prochaine requête
<li><code>Expires < now() || Expires == -1</code> : pas de cache
</ul>
</section>
</div>
<div class="slide" id="cache-control-slide">
<section>
<h2>Cache : Cache-Control</h2>
<ul>
<li><code>Cache-Control: private</code> : Cache client
<li><code>Cache-Control: public</code> : Cache client et proxy
<li><code>Cache-Control: no-cache</code> : Cache client et proxy mais revalidation
<li><code>Cache-Control: no-cache=Set-Cookie</code> : Ne pas cacher cet entête
<li><code>Cache-Control: no-store</code> : Cache client ou proxy interdit
<li><code>Cache-Control: must-revalidate</code> : Revalidation après expiration
<li><code>Cache-Control: proxy-revalidate</code> : Idem mais pour les proxies
<li><code>Cache-Control: max-age=xxx</code> : Temps relatif, en secondes
<li><code>Cache-Control: s-maxage=xxx</code> : Idem mais que pour les proxies
<li><code>Cache-Control: no-transform</code> : Les proxies ne doivent pas transformer la ressource
</ul>
</section>
</div>
<div class="slide" id="cache-last-modified-conditionnal-slide">
<section>
<h2>Cache : Last-Modified et requête conditionnelle</h2>
<pre class="client">GET /logo.png HTTP/1.1
...</pre>
<pre class="server">HTTP/1.1 200 OK
Date: Mon, 03 Sep 2012 15:05:20 GMT
Expires: Mon, 03 Sep 2012 15:05:20 GMT
Last-Modified: Mon, 02 Apr 2012 02:13:37 GMT
...</pre>
<pre class="client">GET /logo.png HTTP/1.1
If-Modified-Since: Mon, 02 Apr 2012 02:13:37 GMT
...</pre>
<pre class="server">HTTP/1.1 304 Not Modified
Date: Mon, 03 Sep 2012 15:07:07 GMT
Expires: Mon, 03 Sep 2012 15:07:07 GMT
...</pre>
</section>
</div>
<div class="slide" id="cache-etag-conditionnal-slide">
<section>
<h2>Cache : Entity Tag et requête conditionnelle</h2>
<pre class="client">GET /logo.png HTTP/1.1
...</pre>
<pre class="server">HTTP/1.1 200 OK
Date: Mon, 03 Sep 2012 15:05:20 GMT
ETag: "8eca4-205f-17b94c"
...</pre>
<pre class="client">GET /logo.png HTTP/1.1
If-None-Match "8eca4-205f-17b94c"
...</pre>
<pre class="server">HTTP/1.1 304 Not Modified
Date: Mon, 03 Sep 2012 15:07:07 GMT
ETag: "8eca4-205f-17b94c"
...</pre>
</section>
</div>
<div class="slide" id="cache-vary-slide">
<section>
<h2>Cache : Vary</h2>
<h3>Exemple sur la compression :</h3>
<pre class="client">GET /file.js HTTP/1.1
Accept-Encoding: gzip, deflate
...</pre>
<pre class="server">HTTP/1.1 200 OK
Content-Encoding:gzip
Date:Thu, 06 Sep 2012 13:56:47 GMT
Expires:Thu, 13 Sep 2012 13:56:47 GMT
ETag:M0-0eb75f26
Vary:Accept-Encoding
...</pre>
<h3>Exemple sur la négociation de contenu :</h3>
<pre class="client">GET /shops/all/address HTTP/1.1
Host: www.exemple.org
Accept: application/json
Accept-Language: fr-FR; q=1.0, en; q=0.5
... </pre>
<pre class="server">HTTP/1.1 200 OK
Content-type: application/json; charset=utf-8
Content-Language: en-US
Vary: Accept,Accept-Language
...</pre>
</section>
</div>
<div class="slide" id="cache-summary-slide">
<section>
<h2>Cache : Recommandations</h2>
<ul>
<li>Utilisez soit <code>Expires</code>, soit <code>Cache-Control: max-age</code>
<li>avec soit <code>Last-Modified</code>, soit <code>ETag</code> <small>pour permettre les requêtes conditionnelles</small>
<li>Idéalement, cachez pour un mois ou un an <small>(mais pas plus !)</small> et utiliser l’url fingerprinting
<li>SSL/TLS : <code>Cache control: public</code> <small>(sinon, pas de cache sous FF)</small>
<li>Attention aux paramètres dans les URL (proxies)
<li>Limitez les cookies aux ressources qui ont en besoin <small>(html)</small>
<li>Rappel : ressources statiques sur un autre sous-domaine
<li>Attention de bien configurer <code>Vary</code> en fonction du <code>Content-Encoding</code>, <code>Content-Type</code> ou encore sur les champs <code>Accept</code> <small>(Négociation de contenu)</small>
</ul>
</section>
</div>
<div class="slide" id="authentification-title-slide">
<section class="middle">
<h2>Authenfication</h2>
</section>
</div>
<div class="slide" id="authentification-basic-slide">
<section>
<h2>Authenfication basique</h2>
<pre class="client">GET /private/index.html HTTP/1.1
Host: www.exemple.org
...</pre>
<pre class="server">HTTP/1.1 401 Authorization Required
Content-type: text/html
WWW-Authenticate: Basic realm="Secure Area"
...</pre>
<pre class="client">GET /private/index.html HTTP/1.1
Host: www.exemple.org
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
</pre>
<h3>Encodage/décodage base 64</h3>
<kbd>> echo -n "Aladdin:open sesame" | base64 -
> QWxhZGRpbjpvcGVuIHNlc2FtZQ==
> echo -n QWxhZGRpbjpvcGVuIHNlc2FtZQ== | base64 -d
> Aladdin:open sesame
</kbd>
</section>
</div>
<div class="slide" id="authentification-digest-slide">
<section>
<h2>Authenfication Digest</h2>
<pre class="server">HTTP/1.1 401 Authorization Required
Content-type: text/html
WWW-Authenticate: Digest realm="testrealm@host.com",
qop="auth, auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
...</pre>
<pre class="server">GET /private/index.html HTTP/1.1
Host: www.exemple.org
GET /dir/index.html HTTP/1.0
Host: localhost
Authorization: Digest username="gpaul",
realm="testrealm@host.com",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/private/index.html",
qop=auth,
nc=00000001,
cnonce="0a4f113b",
response="6629fae49393a05397450978507c4ef1",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
</pre>
</section>
</div>
<div class="slide" id="ssl-tls-title-slide">
<section class="middle">
<h2><abbr title="Secure Sockets Layer">SSL</abbr>/<abbr title="Transport Layer Security">TLS</abbr></h2>
</section>
</div>
<div class="slide" id="ssl-tls-main-slide">
<section>
<h2><abbr title="Secure Sockets Layer">SSL</abbr>/<abbr title="Transport Layer Security">TLS</abbr> : Introduction</h2>
<ul>
<li>SSL 1.0 (jamais publique), 2.0 en 1995, 3.0 en 1996 (<a href="https://tools.ietf.org/html/rfc6101"><abbr title="Request for comment">RFC</abbr> 6101</a>),
<li>TLS 1.0 en 1999 (<a href="https://tools.ietf.org/html/rfc2246">RFC 2246</a>)
<li>TLS 1.1 en 2006 (<a href="https://tools.ietf.org/html/rfc4346">RFC 4346</a>)
<li>TLS 1.2 en 2008 (<a href="https://tools.ietf.org/html/rfc5246">RFC 5246</a>)
<li>Mise à jour sur TLS 1.2 en 2011 (<a href="https://tools.ietf.org/html/rfc6176">RFC 6176</a>)
<li>TLS utilisé sur <abbr title="HyperText Transfert Protocol">HTTP</abbr>, <abbr title="File Transfert Protocol">FTP</abbr>, <abbr title="Simple Mail Transfert Protocol">SMTP</abbr>, <abbr title="Network News Transfert Protocol">NNTP</abbr> et <abbr title="eXtensible Messaging and Presence Protocol">XMPP</abbr>
<li><abbr title="Hypertext Transfer Protocol Secure">HTTPS</abbr> sur le port 443
</ul>
<h3>5 principes</h3>
<ul>
<li>l'authentification du serveur,
<li>la confidentialité des données échangées,
<li>l'intégrité des données échangées,
<li>la spontanéité,
<li>de manière optionnelle, l'authentification du <a href="http://pilif.github.com/2008/05/why-is-nobody-using-ssl-client-certificates/">client avec un certificat</a>,
<li>la transparence (HTTP over TLS).
</ul>
</section>
</div>
<div class="slide" id="ssl-tls-pre-requisites-slide">
<section>
<h2>Quelques rappels cryptographiques</h2>
<ul>
<li>Chiffrement symétrique <small>(DES, 3DES, AES, BlowFish,...)</small>
<li>Chiffrement asymétrique <small>(RSA)</small>
<li>Fonction de hashage <small>(MD5, SHA1, SHA256,...)</small>
<li>Signature
<img style="float:right" src="https://docs.google.com/drawings/pub?id=1IScYN4qTqqQCkpZ1GTeK8vTO26pMso7rRj-UMBH6Cwc&w=343&h=283">
<li>Certificats <small>(x509)</small>
<li>Autorité de certification
<li>Chaînes de confiance
</ul>
<h3>Création d’une signature</h3>
<pre>var hash = sha1(certificat.info)
return encrypt(ca.privatekey, hash)</pre>
<h3>Vérification d’une signature</h3>
<pre>var hash = sha1(certificat.info)
var uncryptedSignature = decrypt(ca.publickey, signature)
return hash == uncryptedSignature</pre>
</section>
</div>
<div class="slide" id="ssl-tls-handshake-slide">
<style scoped>
#ssl-tls-handshake-slide ul li { list-style-type:none; }
</style>
<section>
<h2><abbr title="Secure Sockets Layer">SSL</abbr>/<abbr title="Transport Layer Security">TLS</abbr> : Handshake</h2>
<img src="https://docs.google.com/drawings/pub?id=1kpEunBK1rm_KH-loMb2K0OKCEut4A0tP08fF1e5_-OM&w=796&h=362" alt="SSL/TLS handshake" />
<ul>
<li><span style="color: blue;">1.</span> Client hello : chiffrements supportés ordonnés
<li><span style="color: blue;">2.</span> Server hello : chiffrement utilisé et certificat
<small>(le client vérifie le certificat et la chaîne de confiance)</small>
<li><span style="color: red;">3.</span> Pré-clé chiffrée avec la clé publique du serveur
<li><span>4.</span> Négociation terminée, calcul de la clé secrête symétrique
<li><span style="color: green;">5.</span> Échanges HTTP chiffrés avec la clé symétrique
</ul>
</section>
</div>
<div class="slide" id="ssl-tls-algorithms-slide">
<style scoped>
#ssl-tls-algorithms-slide ul { column-count: 3; }
#ssl-tls-algorithms-slide ul li { font-size: 13px; }
</style>
<section>
<h2>Algorithmes d’encryption</h2>
<p>Version, chiffrement asymétrique, chiffrement symétrique, négociation des clés, signature</p>
<ul>
<li>SSL2-RC4-128-with-MD5
<li>SSL2-RC2-128-CBC-with-MD5
<li>SSL2-DES-168-EDE3-CBC-with-MD5
<li>SSL2-DES-56-CBC-with-MD5
<li>SSL2-RC4-128-EXPORT40-with-MD5
<li>SSL2-RC2-128-CBC-EXPORT40-with-MD5
<li>SSL3-FORTEZZA-DMS-with-FORTEZZA-CBC-SHA
<li>SSL3-FORTEZZA-DMS-with-RC4-128-SHA
<li>SSL3-RSA-with-RC4-128-MD5
<li>SSL3-RSA-with-3DES-EDE-CBC-SHA
<li>SSL3-RSA-with-DES-CBC-SHA
<li>SSL3-RSA-with-RC4-40-MD5
<li>SSL3-RSA-with-RC2-CBC-40-MD5
<li>SSL3-FORTEZZA-DMS-with-null-SHA
<li>SSL3-RSA-with-null-MD5
<li>SSL3-RSA-FIPS-with-3DES-EDE--CBC-SHA
<li>SSL3-RSA-FIPS-with-DES-CBC-SHA
<li>SSL3-DHE-RSA-with-3DES-EDE-CBC-SHA
<li>SSL3-DHE-DSS-with-3DES-EDE-CBC-SHA
<li>SSL3-DHE-RSA-with-DES-CBC-SHA
<li>SSL3-DHE-DSS-with-DES-CBC-SHA
<li>TLS-RSA-1024-with-RC4-56-SHA
<li>TLS-RSA-1024-with-DES-CBC-SHA
<li>TLS-RSA-with-RC4-128-MD5
<li>SSL_RSA_WITH_RC4_128_SHA or TLS_RSA_WITH_RC4_128_SHA
<li>TLS-RSA-with-3DES-EDE-CBC-SHA
<li>TLS-RSA-with-DES-CBC-SHA
<li>TLS-RSA-with-AES-256-CBC-SHA
<li>TLS-RSA-with-AES-128-CBC-SHA
<li>TLS-RSA-with-RC4-40-MD5
<li>TLS-RSA-with-RC2-CBC-40-MD5
<li>TLS-RSA-with-null-MD5
<li>TLS-DHE-RSA-with-AES-256-CBC-SHA
<li>TLS-DHE-RSA-with-AES-128-CBC-SHA
<li>TLS-DHE-DSS-with-AES-256-CBC-SHA
<li>TLS-DHE-DSS-with-AES-128-CBC-SHA
<li>TLS-DHE-DSS-with-RC4-128-SHA
<li>TLS-ECDH-ECDSA-with-RC4-128-SHA
<li>TLS-ECDH-RSA-with-RC4-128-SHA
<li>TLS-ECDHE-ECDSA-with-RC4-128-SHA
<li>TLS-ECDHE-RSA-with-RC4-128-SHA
<li>TLS-ECDH-ECDSA-with-3DES-EDE-CBC-SHA
<li>TLS-ECDH-RSA-with-3DES-EDE-CBC-SHA
<li>TLS-ECDHE-ECDSA-with-3DES-EDE-CBC-SHA
<li>TLS-ECDHE-RSA-with-3DES-EDE-CBC-SHA
<li>TLS-ECDH-ECDSA-with-AES-128-CBC-SHA
<li>TLS-ECDH-RSA-with-AES-128-CBC-SHA
<li>TLS-ECDHE-ECDSA-with-AES-128-CBC-SHA
<li>TLS-ECDHE-RSA-with-AES-128-CBC-SHA
<li>TLS-ECDH-ECDSA-with-AES-256-CBC-SHA
<li>TLS-ECDH-RSA-with-AES-256-CBC-SHA
<li>TLS-ECDHE-ECDSA-with-AES-256-CBC-SHA
<li>TLS-ECDHE-RSA-with-AES-256-CBC-SHA
</ul>
</section>
</div>
<div class="slide" id="ssl-tls-diffie-hellman-slide">
<section>
<h2><abbr title="Secure Sockets Layer">SSL</abbr>/<abbr title="Transport Layer Security">TLS</abbr> : Diffie-Hellman</h2>
<a href="http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html">SSL/TLS & Perfect Forward Secrecy</a>, <small>DHE-RSA-AES128-SHA, ECDHE-RSA-AES128-SHA</small>
<p class="center"><img src="imgs/diffie-Hellman_key_exchange.png" alt="Algorithme de Diffie Hellman" /></p>
</section>
</div>
<div class="slide" id="ssl-tls-security-slide">
<section>
<h2><abbr title="Secure Sockets Layer">SSL</abbr>/<abbr title="Transport Layer Security">TLS</abbr> : Securité</h2>
<h3><a href="http://dev.chromium.org/sts"><abbr title="HTTP Strict Transport Security">HSTS</abbr></a></h3>
<pre>Strict-Transport-Security: max-age=16070400; includeSubDomains</pre>
<h3>Attaques connues</h3>
<p>En 2011, Thai Duong et Juliano Rizzo démontrent <a href="http://vnhacker.blogspot.fr/2011/09/beast.html"><abbr title="Browser Exploit Against SSL/TLS">BEAST</abbr></a>, une attaque contre TLS/1.0.</p>
<p>En 2012, ils présentent <a href="https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit#slide=id.g1d134dff_1_222"><abbr title="Compression Ratio Info-leak Made Easy">CRIME</abbr></a>, se basant sur la compression : TLS et SPDY sont vulnérables.</p>
</section>
</div>
<div class="slide" id="extension-title-slide">
<section class="middle">
<h2>Extension</h2>
</section>
</div>
<div class="slide" id="extension-slide">
<section>
<h2>Extension : <abbr title="Web Distributed Authoring and Versioning">WebDAV</abbr></h2>
<ul>
<li>permet de récupérer, déposer, synchroniser et publier des fichiers/dossiers,
<li>gestion des droits d’accès, vérrouillage des fichiers,
<li>Nouvelles méthodes, entêtes et codes de retour (<small><a href="//tools.ietf.org/html/rfc4918"><abbr title="Request for comment">RFC</abbr> 4918</a></small>) :
</ul>
<pre class="client">COPY /~fielding/index.html HTTP/1.1
Host: www.example.com
Destination: http://www.example.com/users/f/fielding/index.html
If: <http://www.example.com/users/f/fielding/index.html> (<urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6>)</pre>
<pre class="server">HTTP/1.1 204 No Content</pre>
<pre class="client">DELETE /locked/member HTTP/1.1
Host: example.com</pre>
<pre class="server">HTTP/1.1 423 Locked
Content-Type: application/xml; charset="utf-8"
Content-Length: xxxx
<?xml version="1.0" encoding="utf-8" ?>
<D:error xmlns:D="DAV:">
<D:lock-token-submitted>
<D:href>/locked/</D:href>
</D:lock-token-submitted>
</D:error>
</pre>
</section>
</div>
<div class="slide" id="spdy-http2-title-slide">
<section class="middle">
<h2>SPDY / HTTP 2.0</h2>
</section>
</div>
<div class="slide" id="spdy-slide">
<section>
<h2><abbr title="Speedy"><a href="https://sites.google.com/a/chromium.org/dev/spdy">SPDY</a></abbr></h2>
<ul>
<li>standard de facto, standardisation en cours <small>(<a href="https://tools.ietf.org/html/draft-mbelshe-httpbis-spdy-00">draft-mbelshe-httpbis-spdy-00</a>)</small>
<li>implémenté dans Google Chrome (<small><a href="chrome://net-internals/#spdy">chrome://net-internals/#spdy</a></small>) et Firefox 11 (<small><a href="https://hacks.mozilla.org/2012/02/spdy-brings-responsive-and-scalable-transport-to-firefox-11/">annonce</a></small>), actif par défaut dans Firefox 13 (<small><code>network.http.spdy.enabled</code>, cf <a href="about:config">about:config</a></small>) et Amazon Silk,
<li>utilisé sur presque tous les services Google, ainsi que twitter,
<li><img src="https://sites.google.com/a/chromium.org/dev/_/rsrc/1258490355439/spdy/spdy-whitepaper/soarjOjSeS5hoFYvjtAnxCg.png" alt="Speedy stack" style="float: right; margin: .5em;"/>
ne remplace pas HTTP mais change la façon dont les données sont envoyées,
<li>suppression des entêtes redondants (user-agent, accept, etc),
<li>compression des entêtes,
<li>multiplexage (plusieurs streams) au sein d’une requête TCP,
<li><a href="https://en.wikipedia.org/wiki/HTTP_pipelining">HTTP Pipelining</a>,
<li>priorise les ressources,
<li>"push" des resources liées (images, css, js) avant que le navigateur ne les demande,
<li>TLS/SSL obligatoire.
</ul>
</section>
</div>
<div class="slide" id="http2-slide">
<section>
<h2>HTTP 2.0</h2>
<ul>
<li>en cours de réflexion par le groupe <a href="https://tools.ietf.org/wg/httpbis/">Hypertext Transfer Protocol Bis</a> <small>(httpbis)</small>,
<li>buts : multiplexage, compression des entête, pipelining,
<li>rétro-compatibilité complète,
<li>SPDY candidat pour HTTP/2.0,
<li>Microsoft propose <a href="https://tools.ietf.org/html/draft-montenegro-httpbis-speed-mobility-01">HTTP Speed+Mobility</a> (basé sur SPDY).
</ul>
</section>
</div>
<div class="slide" id="tools-and-resources-slide">
<section>
<h2>Outils et resources</h2>
<ul>
<li>telnet, curl, wget,