Systematic Outline for Understanding Web Communication

/ Naixian Zhang

Level 1: The Basics – Participants and Addressing

  • Client: The entity making the request (e.g., your web browser, a mobile app, a command-line tool like curl).
  • Server: The entity hosting the resource and responding to the request (e.g., a web server like Apache or Nginx running on a machine hosting website files or application logic).
  • IP Address (Internet Protocol): The unique numerical address of a device on a network (like 192.0.2.1 or a longer IPv6 address). How computers find each other.
  • DNS (Domain Name System): The “phonebook” of the internet. Translates human-readable domain names (like www.google.com) into machine-readable IP addresses.

Level 2: The Connection – Establishing the Link

  • TCP/IP (Transmission Control Protocol/Internet Protocol): The fundamental suite of protocols governing how data is broken down, sent, and reassembled across networks. TCP provides reliable, ordered, and error-checked delivery of data between applications.
  • Ports: Numbers used to identify specific applications or services running on a server (e.g., Port 80 for standard HTTP, Port 443 for HTTPS). Allows the server’s operating system to direct incoming traffic to the correct program (e.g., the web server software).

Level 3: The Language – HTTP (Hypertext Transfer Protocol)

  • HTTP Versions:
    • HTTP/1.0 (Older, less efficient connections).
    • HTTP/1.1 (Introduced persistent connections, pipelining, mandatory Host header – the long-time standard).
    • HTTP/2 (Introduced multiplexing, binary protocol, header compression – significantly faster).
    • HTTP/3 (Uses QUIC protocol over UDP – aims for lower latency, better on lossy networks).
  • Request-Response Cycle: The fundamental pattern: Client sends a request, Server sends a response.
  • HTTP Request Structure:
    • Method (Verb): The action the client wants to perform (e.g., GET to retrieve data, POST to submit data, PUT to update, DELETE to remove).
    • URI/Path: The specific resource being requested (e.g., /index.html, /api/users/123).
    • HTTP Version: (e.g., HTTP/1.1).
    • Headers: Key-value pairs providing metadata about the request (e.g., Host: http://www.example.com, User-Agent: Chrome/…, Accept: text/html, Authorization: Bearer …, Cookie: …).
    • (Optional) Body: Contains data being sent to the server (e.g., form data submitted via POST).
  • HTTP Response Structure:
    • HTTP Version: (e.g., HTTP/1.1).
    • Status Code & Reason Phrase: The outcome (e.g., 200 OK, 404 Not Found, 304 Not Modified, 500 Internal Server Error). Crucial for understanding the result.
    • Headers: Key-value pairs providing metadata about the response (e.g., Content-Type: text/html, Content-Length: 1234, Set-Cookie: …, Cache-Control: …, ETag: …).
    • (Optional) Body: Contains the actual resource requested (HTML code, JSON data, image data, etc.). Usually absent for 304 or error responses.

Level 4: Security – Protecting the Conversation

  • HTTPS (HTTP Secure): HTTP layered over an encryption protocol (TLS/SSL).
  • TLS/SSL (Transport Layer Security / Secure Sockets Layer): The cryptographic protocols that provide:
    • Encryption: Protects data from eavesdropping.
    • Authentication: Verifies the identity of the server (via Certificates).
    • Integrity: Ensures data hasn’t been tampered with in transit.
  • Certificates: Digital documents issued by Certificate Authorities (CAs) that bind a public key to a domain name, used to authenticate the server.

Level 5: Data & State – What’s Being Sent and Remembered

  • Data Formats: Common types of data exchanged (HTML, CSS, JavaScript, JSON, XML, Images, Video, etc.). Specified by the Content-Type header.
  • Cookies: Small pieces of data sent by the server and stored by the client browser. Sent back with subsequent requests to the same server, used to maintain state (e.g., login sessions, user preferences).
  • Sessions: Server-side mechanism to track user state, often using a session ID stored in a cookie.
  • APIs (Application Programming Interfaces): Contracts defining how software components interact, often over HTTP (e.g., REST APIs using JSON over HTTP).

Level 6: Performance & Architecture – Making it Fast and Scalable

  • Caching: Storing copies of resources closer to the client (browser cache, proxy cache, CDN) to reduce latency and server load (relates to 304 Not Modified).
  • CDNs (Content Delivery Networks): Geographically distributed servers that cache content closer to users globally.
  • Load Balancers: Distribute incoming requests across multiple servers to handle high traffic and improve availability.
  • Proxies (Forward/Reverse): Intermediaries that sit between clients and servers for various purposes (security, caching, load balancing).
  • WebSockets: A protocol providing full-duplex communication channels over a single TCP connection (allows real-time, bidirectional communication different from the standard HTTP request/response).

Worthnoting SSH is a network protocol it’s better than Telnet where you send commands without any encryption, it’s designed primarily for operating network services securely over an unsecured network. Its most famous application is providing secure remote login and command-line execution, but it also supports secure file transfers (SFTP, SCP) and tunneling other network protocols (port forwarding). How it Works:

Connection Setup: Client initiates a TCP connection to the SSH server (usually on port 22).

Key Exchange: Client and server securely negotiate encryption algorithms and generate temporary session keys (using asymmetric cryptography initially, then switching to faster symmetric encryption for the bulk data).

Server Authentication: The server proves its identity to the client, typically using a host key pair. The client usually checks this against a list of known hosts (~/.ssh/known_hosts) to prevent Man-in-the-Middle (MitM) attacks.

User Authentication: The client user proves their identity to the server. Common methods include:

Passwords (less secure)

Public Key Authentication (more secure, uses user-specific SSH key pairs)

Other methods (Kerberos, Host-based, etc.)

Secure Session: Once authenticated, all data exchanged (commands, output, file transfers) is encrypted using the negotiated symmetric session key. Data integrity is also ensured.

TLS is the modern standard cryptographic protocol designed to provide communications security over a computer network. SSL was its predecessor, and while the name SSL is often still used informally, TLS is the actual protocol in use today (versions 1.2 and 1.3 are common). TLS is most famously used to secure HTTP traffic, creating HTTPS. How it Works (Simplified TLS Handshake):

Authentication & Key Exchange: Client verifies the server’s certificate with the trusted CA. Client and server then use asymmetric cryptography (often based on the server’s certificate key pair) to securely generate a shared secret symmetric key for the session.

Client Hello: Client sends supported TLS versions, cipher suites, and a random number.

Server Hello: Server chooses TLS version and cipher suite, sends its random number, and crucially, its digital certificate (containing its public key and identity verified by a Certificate Authority – CA).

Worth to compare TLS and SSH:

FeatureSSH (Secure Shell)TLS (Transport Layer Security)
Primary PurposeSecure Remote Access/Control: Primarily for establishing a secure shell (command-line) connection to a remote computer, executing commands, and secure file transfers (SCP, SFTP).Secure Application-Level Communication: Primarily for securing data exchanged between applications, most notably web Browse (HTTPS), email (SMTPS, IMAPS), and other data streams.
Common Use Cases– Logging into remote Linux/Unix servers
– Git operations (push/pull code)
– Secure file transfer (SCP, SFTP)
– Port forwarding/tunneling		– Securing websites (HTTPS)
– Encrypting email (IMAPS, SMTPS)
– Securing API calls between services
– VPNs (some types)
What’s AuthenticatedPrimarily the User to the Server (via SSH keys or passwords), and optionally the server to the user (via host keys).Primarily the Server to the Client (via digital certificates issued by a Certificate Authority). Client authentication (client certificates) is optional but less common.
Trust Model“Trust-on-first-use” (TOFU) for host keys, or direct trust via SSH key management. You manually verify the server’s fingerprint initially.Certificate Authorities (CAs): Relies on a global hierarchy of trusted third parties (CAs) that issue and verify digital certificates for servers.
User InteractionOften direct command-line interaction; requires specific client software (e.g., ssh client, PuTTY).Mostly transparent to the end-user (e.g., the padlock in your browser for HTTPS); integrated into applications.

Now more details on SSH. Secure Shell. We’re familiar with RSA used by SSH, but other than RSA, ECDSA (Elliptic Curve Digital Signature Algorithm): A more modern alternative to RSA and DSA. EdDSA (Edwards-curve Digital Signature Algorithm), specifically Ed25519. DSA. In essence, Modern SSH implementations favor Elliptic Curve-based algorithms (ECDSA, Ed25519, ECDH) and strong symmetric ciphers (AES-GCM, ChaCha20-Poly1305) over older ones like DSA and sometimes even older RSA schemes.

SSH is just one way computers communicate securely (or insecurely) over a network. Let’s explore all the main types of communication protocols:

1️⃣ SSH (Secure Shell)

  • Purpose: Remote command execution, file transfer, tunneling.
  • Transport: TCP (default port 22)
  • Pros: Encrypted, authenticated, supports tunneling and SFTP.
  • Use case: Administering servers, transferring indexcalc logs, creating secure Grafana port tunnels.

2️⃣ HTTP / HTTPS

  • HTTP: HyperText Transfer Protocol — standard for web communication.
  • HTTPS: HTTP over TLS/SSL — encrypted version.
  • Port: 80 (HTTP), 443 (HTTPS)
  • Pros: Universal, works with APIs, easy to integrate with web apps and dashboards.
  • Use case: REST APIs for pushing/pulling financial data, serving dashboards.

Example: requests.get("https://api.marketdata.com/prices")

3️⃣ FTP / SFTP / SCP

ProtocolPurposeSecurity
FTPFile transfer❌ Not secure (plain text)
SFTPSSH File Transfer Protocol✅ Secure, runs over SSH
SCPSecure Copy✅ Secure, simple copy over SSH

Use case: Uploading daily reports or QC logs to a remote server.

4️⃣ WebSocket

  • Purpose: Real-time, bidirectional communication between client & server.
  • Port: Typically 80/443
  • Pros: Low latency, push updates in real time.
  • Use case: Market data streaming, real-time monitoring dashboards.

5️⃣ MQTT / AMQP / Kafka

  • MQTT: Lightweight publish/subscribe protocol.
  • AMQP (RabbitMQ): Advanced messaging, reliable queues.
  • Kafka: High-throughput event streaming.
  • Use case:
    • Financial market feeds → multiple subscribers (risk models, index calc).
    • Trigger QC pipelines when new data arrives.
  • Pros: Scalable, reliable, decoupled.

6️⃣ gRPC / Thrift

  • Purpose: Remote Procedure Calls (RPC) between services.
  • Transport: HTTP/2 (gRPC), binary protocol
  • Pros: Fast, typed, supports streaming
  • Use case: Microservices architecture, financial calculations across distributed systems.

7️⃣ Database Connections

  • Direct protocol: PostgreSQL, MySQL, MongoDB protocols.
  • Purpose: Querying data directly over the network.
  • Use case: IndexCalc reads/writes historical market data or QC results.

8️⃣ Custom TCP/UDP

  • TCP: Reliable, ordered communication.
  • UDP: Low-latency, but no guaranteed delivery.
  • Use case:
    • UDP → high-frequency market tick streaming.
    • TCP → order management systems, logs, or batch data transfer.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.