S-HTTP encrypts only the served page data and submitted data like POST fields, leaving the initiation of the protocol unchanged. Because of this, S-HTTP could be used concurrently with HTTP (unsecured) on the same port, as the unencrypted header would determine whether the rest of the transmission is encrypted. In contrast, HTTP over TLS wraps the entire communication within
Transport Layer Security (TLS; formerly SSL), so the encryption starts before any protocol data is sent. This creates a
name-based virtual hosting "chicken and egg" issue with determining which
DNS name was intended for the request. This means that HTTPS implementations without
Server Name Indication (SNI) support require a separate
IP address per DNS name, and all HTTPS implementations require a separate port (usually 443 vs. HTTP's standard 80){{cite web As documented in , HTTP can also be secured by implementing
HTTP/1.1 Upgrade headers and upgrading to TLS. Running HTTP over TLS negotiated in this way does not have the implications of HTTPS with regards to name-based virtual hosting (no extra IP addresses, ports, or URI space). However, few implementations support this method. In S-HTTP, the desired URL is not transmitted in the cleartext headers, but left blank; another set of headers is present inside the encrypted payload. In HTTP over TLS, all headers are inside the encrypted payload and the server application does not generally have the opportunity to gracefully recover from TLS fatal errors (including 'client certificate is untrusted' and 'client certificate is expired'). ==References==