← Back to Blake's Learning Hub

Lesson 13: The Internet & HTTP

How the web actually works — from URL to response
📅 March 2026 ⏱ ~90 min 🌐 Topics 1+2 of 6 📖 Year 12 Module 2

🔍 DevTools Debrief ~10 min

This entire section is a pedagogical warm-up — not examined by NESA. It exists to give the lesson context before theory begins.

In the last lesson I asked you to open DevTools → Network and poke around. Let's look at what you found before we explain anything.

A few questions to talk through:

  • How many requests did loading one page trigger? (Typical answer: 20–100+)
  • Did you spot any 3xx redirects? Any 404s?
  • What did the Headers tab show on one request?

Everything you saw in that Network tab is what this lesson explains. By the end you'll know exactly what each line means — the method, the URL, the status code, the headers, all of it.

📖 DNS — Finding the Address ~15 min

SE-12-05 — Networking Protocols

DNS is the internet's phone book. A domain name like volcanoic-pantheon.vercel.app is a human-friendly alias — computers don't route by name, they route by IP address (e.g. 76.76.21.21). DNS bridges these two worlds: it takes a domain name you can remember and returns the numeric address the network actually uses.

Beyond NESA — extra depth

The Full DNS Lookup Chain

When your browser needs to resolve a domain name, it walks through this chain until it gets an answer:

  1. Browser cache — The browser checks if it already looked up this domain recently. DNS results are cached with a TTL (time-to-live), so if the cache is still fresh, the lookup stops here.
  2. OS cache — If the browser doesn't have it, the operating system checks its own cache, plus the /etc/hosts file (or Windows hosts file) for any manual overrides.
  3. Recursive resolver — Your ISP's DNS server, or a public one like Google's 8.8.8.8. This server does the hard work of asking other servers on your behalf.
  4. Root name servers — There are 13 clusters of root servers worldwide. They don't know the IP of your domain, but they know where the TLD servers for each extension live.
  5. TLD name server — For a .app domain, the TLD server for .app knows which authoritative name server is responsible for Vercel's domains.
  6. Authoritative name server — Vercel's DNS. This server is the final authority — it returns the actual IP address for volcanoic-pantheon.vercel.app.
  7. Response cached — The IP is returned to your browser and stored at each step along the way with a TTL, so future lookups skip most of the chain.
Beyond NESA — real-world contextVP hook: This exact chain fires when someone visits volcanoic-pantheon.vercel.app. The first visit might take 50ms+ in DNS alone — subsequent visits are instant because the result is cached at every layer.
Beyond NESAWhy does DNS take multiple hops?

No single server knows every domain name on the internet — there are hundreds of millions of them. Instead, DNS uses distributed authority: each zone (root, TLD, individual domain) is managed separately. The recursive resolver acts as your agent, asking each level of the hierarchy in turn until it finds someone who has the definitive answer.

Beyond NESAWhat is a TTL?

TTL (time-to-live) is how many seconds a DNS record can be cached before it must be refreshed. Vercel sets short TTLs — typically 60–300 seconds — so their CDN can update IP addresses quickly when traffic needs to be rerouted. A longer TTL (like 86400s for a static personal site) means faster lookups but slower propagation when you change DNS records.

🤝 TCP — Opening the Connection ~8 min

Once DNS gives the browser an IP address, it needs to open a connection to that server. TCP (Transmission Control Protocol) handles this. TCP is a reliable, ordered delivery protocol — it guarantees that data arrives in the right order and retransmits anything that gets lost.

Before any HTTP data can flow, TCP performs a three-way handshake:

  1. SYN — The browser sends a synchronise packet to the server: "I want to connect." Beyond NESA — signal names
  2. SYN-ACK — The server replies: "OK, I'm ready. Synchronise + acknowledge." Beyond NESA — signal names
  3. ACK — The browser confirms: "Great, let's go." The connection is now open. Beyond NESA — signal names

Only after this handshake completes does the browser send its first HTTP request.

Beyond NESA — extra depth

What is a packet?

Data travelling across the internet is not sent as one giant stream — it is broken into chunks called packets. Each packet contains:

  • Source IP address (where it came from)
  • Destination IP address (where it's going)
  • Sequence number (so the receiver knows the order)
  • A chunk of the actual data payload

The receiving end reassembles packets in sequence order. If a packet is lost or corrupted in transit, TCP detects this via the sequence numbers and requests a retransmit — the missing packet is sent again.

For HTTPS, there is also a TLS handshake after the TCP handshake — the browser and server negotiate encryption before any HTTP data flows. We cover that in Section 5.

🌐 HTTP — The Language of the Web ~15 min

SE-12-05 — HTTP Protocol

HTTP (HyperText Transfer Protocol) is the protocol browsers use to ask for resources, and that servers use to respond. It is a plain-text request-response protocol — every interaction follows the same pattern: client sends a request, server sends back a response.

Beyond NESA — raw format detail

HTTP Request Anatomy

Here is a raw HTTP request — exactly what your browser sends when you visit Volcanic Pantheon:

Raw HTTP Request
GET /index.html HTTP/1.1
Host: volcanoic-pantheon.vercel.app
Accept: text/html,application/xhtml+xml
Accept-Language: en-AU,en;q=0.9
Connection: keep-alive

Breaking it down:

  • Request line — the first line: method (GET) + path (/index.html) + protocol version (HTTP/1.1)
  • Host header — tells the server which domain you want. One physical server can host many domains; the Host header is how it knows which one to serve.
  • Accept header — tells the server what content types the browser can handle Beyond NESA
  • Accept-Language — browser preference for language/locale Beyond NESA
  • Connectionkeep-alive means reuse this TCP connection for multiple requests rather than closing and reopening Beyond NESA
Beyond NESA — HTTP methods not listed in syllabus

HTTP Methods

The method tells the server what action you want to perform:

Method Purpose Body? Safe?
GET Retrieve a resource No Yes
POST Submit data / create resource Yes No
PUT Beyond NESA Replace a resource entirely Yes No
DELETE Beyond NESA Remove a resource No No
PATCH Beyond NESA Partially update a resource Yes No

"Safe" means the request doesn't modify server state — safe requests can be repeated without side effects.

Beyond NESA — real-world contextVP hook: Every fetch() call you write sends one of these methods. Fetching a JSON data file is GET. Submitting a login form is POST. Deleting a user account via an API would be DELETE.
Beyond NESA — raw format detail

HTTP Response Anatomy

The server's reply follows an equally structured format:

Raw HTTP Response
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 4321
Cache-Control: public, max-age=3600

<!DOCTYPE html>
<html>...

Breaking it down:

  • Status line — version (HTTP/1.1) + status code (200) + reason phrase (OK)
  • Content-Type — tells the browser what kind of data is in the body and how to handle it
  • Content-Length — the size of the body in bytes, so the browser knows when the response is complete Beyond NESA
  • Cache-Control — instructions for how long the browser (and CDN) can cache this response Beyond NESA
  • Blank line — separates headers from the body
  • Body — the actual content (HTML, JSON, an image, etc.)

Status Code Groups

Status codes are grouped by their first digit. Knowing the groups means you can reason about any code, even ones you haven't seen before:

Range Meaning Common Examples
2xx Success 200 OK, 201 Created, 204 No Content
3xx Redirect 301 Moved Permanently, 302 Found, 304 Not Modified
4xx Client error 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found
5xx Server error 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable

🔒 HTTPS and TLS ~18 min

SE-12-05 — Security in Protocols

Plaintext and Ciphertext

Two terms you need before diving into TLS:

  • Plaintext — data in its original, readable form. An HTTP request body like {"password": "hunter2"} is plaintext — anyone who intercepts it can read it immediately.
  • Ciphertext — data that has been transformed by an encryption algorithm using a key, making it unreadable without the corresponding decryption key. The same password, once encrypted with a session key, looks like random noise to an interceptor.

TLS's job is to convert all HTTP traffic from plaintext to ciphertext for the duration of the connection. The server and browser are the only parties with the session key needed to decrypt it.

HTTPS = HTTP + TLS (Transport Layer Security). Everything about HTTP stays the same — the same methods, headers, status codes, request and response structure. The difference is that the entire connection is encrypted before any HTTP data flows.

After the TCP handshake completes, a TLS handshake happens in three phases:

  1. Negotiate — Browser and server agree on which cipher suite (encryption algorithm) to use. They share their capabilities and pick the strongest option both support.
  2. Verify — The server sends its TLS certificate. The browser checks that the certificate was issued by a CA (Certificate Authority) it trusts, that it covers the right domain, and that it hasn't expired.
  3. Session key — Browser and server use asymmetric cryptography (RSA or ECDH) to securely agree on a shared symmetric session key. All further data is encrypted with that symmetric key — much faster than asymmetric for bulk data.

Cross-link to Lesson 7: You covered asymmetric vs symmetric cryptography in Lesson 7 — this is that same asymmetric-then-symmetric handoff in real-world practice. The handshake uses asymmetric crypto to bootstrap a symmetric session key safely.

Beyond NESA — extra depth

Certificate Chains

TLS certificates don't stand alone — they form a chain of trust. For Volcanic Pantheon:

  • Leaf certificatevolcanoic-pantheon.vercel.app, issued to your site by Vercel via Let's Encrypt
  • Intermediate CA — Let's Encrypt Authority X3, vouches for the leaf certificate
  • Root CA — ISRG Root X1, which is pre-installed as a trusted authority in your OS and browser

Your browser walks this chain: "I trust ISRG Root X1 (it's in my trust store) → ISRG Root X1 vouches for Let's Encrypt → Let's Encrypt vouches for this leaf certificate → the leaf certificate is valid for this domain." If any link in the chain breaks, the browser shows a certificate error.

Hash Values and Digital Signatures

Certificate verification relies on two more cryptographic tools:

Hash Values

A hash function takes any input and produces a fixed-length output called a hash value (or digest). The same input always produces the same hash. Critically, even a one-character change to the input produces a completely different hash, and it is computationally infeasible to reverse — you cannot reconstruct the original input from the hash alone.

Example: SHA-256 always outputs 64 hex characters regardless of input size. This makes hash values useful for verifying that data has not been tampered with.

Digital Signatures

A digital signature proves that a piece of data was created by a specific party and has not been modified since. Here is how a CA uses one to sign your TLS certificate:

  1. The CA takes the certificate content (domain name, public key, expiry date) and computes its hash value.
  2. The CA encrypts that hash with its own private key. This encrypted hash is the digital signature.
  3. When your browser receives the certificate, it decrypts the signature using the CA's public key (pre-installed in your OS as a trusted authority) to recover the original hash.
  4. The browser independently hashes the certificate content it received. If its computed hash matches the decrypted hash, the certificate is genuine — it was signed by that CA and has not been modified in transit.

This is why forging a TLS certificate without the CA's private key is computationally impossible — you cannot produce a valid signature.

Beyond NESA — revision from SSA module

Why HTTPS matters even for Volcanic Pantheon

Without HTTPS: anyone on the same network (café WiFi, university network) can read every request and response — usernames, passwords, session tokens, page contents, everything. This is called a man-in-the-middle (MITM) attack.

With HTTPS: even if traffic is intercepted, it is encrypted gibberish without the session key. The attacker can see that you connected to a domain, but not what was exchanged.

Vercel handles HTTPS automatically for all sites, including Volcanic Pantheon — it provisions the Let's Encrypt certificate and renews it every 90 days without you doing anything.

📡 Other Web Protocols & Ports ~15 min

SE-12-05 — Web Protocols

Port Numbers

Every protocol runs on a specific port — a numbered channel on a server. When your browser connects to a server, it specifies both an IP address and a port. Protocols have standard ("well-known") ports so software knows where to connect without being told.

Protocol Port(s) Purpose Encrypted?
HTTP 80 Web pages (unencrypted) No
HTTPS 443 Web pages (TLS encrypted) Yes
DNS 53 Domain name resolution No (by default)
FTP 20 / 21 File transfer (unencrypted) No
SFTP 22 Secure file transfer (SSH) Yes
SMTP 25 / 587 Sending email 587 uses TLS
POP3 110 / 995 Receiving email (download & remove) 995 uses TLS
IMAP 143 / 993 Receiving email (sync across devices) 993 uses TLS

When no port is in a URL, the browser assumes port 80 for HTTP and 443 for HTTPS. A URL like https://example.com:8443 explicitly overrides the default.

FTP and SFTP — File Transfer

FTP (File Transfer Protocol) is one of the oldest internet protocols, designed for transferring files between computers. It predates the web entirely. The critical problem: FTP sends everything in plaintext, including usernames and passwords. Anyone intercepting the connection can read credentials directly.

SFTP (SSH File Transfer Protocol) replaces FTP with an encrypted alternative. Despite the similar name, SFTP is not FTP-over-TLS — it is a completely different protocol built on top of SSH (Secure Shell). All data, including credentials, is encrypted end-to-end.

FTP is insecure

Modern servers use SFTP. FTP is still encountered in legacy systems but must not be used for anything sensitive — credentials travel in plaintext.

Email Protocols — SMTP, POP3, IMAP

Email uses separate protocols for sending and receiving:

  • SMTP (Simple Mail Transfer Protocol) — used to send email. When you hit send, your mail client uses SMTP to deliver the message to your mail server, which uses SMTP again to relay it onward to the recipient's server.
  • POP3 (Post Office Protocol v3) — used to receive email by downloading messages from the server to your local device. Messages are typically removed from the server after download. Works well for one device; breaks across multiple devices.
  • IMAP (Internet Message Access Protocol) — also used to receive email, but keeps messages stored on the server and syncs state (read/unread, folders, flags) across all devices. This is what Gmail, Outlook, and Apple Mail use.

Key distinction: POP3 downloads and removes. IMAP syncs. If marking an email as read on your phone also marks it on your laptop — that's IMAP.

Why does FTP use two ports (20 and 21)?

FTP separates control from data. Port 21 carries the control connection — commands like login, list directory, retrieve file. Port 20 carries the actual data transfer. This split design is a historical quirk from the 1970s that SFTP eliminates entirely by running everything over a single SSH connection on port 22.

📊 Big Data on the Web ~8 min

SE-12-05 — Web Architecture

The scale of data flowing through the modern web creates architectural challenges that ordinary web design doesn't address. Three key concepts:

Data Mining

Data mining is the automated process of analysing large datasets to discover patterns, correlations, and insights that would not be visible by reading data manually. Web applications generate enormous volumes of behavioural data — clicks, search queries, purchase histories, time spent on pages — and data mining extracts actionable intelligence from it.

Examples: Netflix mining viewing patterns to recommend content; Google mining search queries to improve autocomplete; retailers mining purchase histories to target advertising.

Metadata

Metadata is data about data — it describes the properties of a resource without being the resource itself:

  • An image file's metadata includes its dimensions, camera model, GPS coordinates, and timestamp — not the pixels themselves
  • An email's metadata includes sender, recipient, subject, timestamp, and server hops — not the message body
  • A web request's metadata includes the URL, timestamp, browser/OS, and IP address — even when the body is encrypted by HTTPS

Metadata is often more revealing than content. Even if HTTPS hides what you downloaded, your ISP can still see which server you connected to and when.

Streaming Service Management

Delivering continuous data (video, audio, live events) at scale requires specialised infrastructure:

  • Content Delivery Networks (CDNs) — cache video segments at servers geographically close to viewers to reduce latency. When you stream a video, you're likely connecting to a CDN server in your city, not the origin server overseas.
  • Adaptive bitrate streaming — the player monitors your connection speed and switches between quality levels (4K → 1080p → 720p) in real time to prevent buffering rather than failing.
  • Load balancing — distributes millions of concurrent connections across thousands of servers so no single server becomes a bottleneck and causes an outage.

🧩 Challenge — Read the Raw Request ~4 min

This is a practical comprehension exercise — not a NESA exam format. It draws on the HTTP anatomy content above, which is also beyond NESA.

Challenge: Decode This Request

Here is a raw HTTP request. Work through the questions below before revealing the answers.

Raw HTTP Request
POST /api/login HTTP/1.1
Host: app.example.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...
Content-Length: 47

{"username": "blake", "password": "hunter2"}
Q1 — What method is this, and what does that tell you?

POST — it's sending data to the server, not just retrieving something. Specifically, it's submitting login credentials. A GET request couldn't carry a body, and putting credentials in a URL (as GET parameters) would be a serious security mistake — URLs appear in logs, browser history, and Referer headers.

Q2 — What does the Authorization header contain?

A Bearer token — specifically a JWT (JSON Web Token, identifiable by its eyJ... prefix). The client already has a session token and is sending it alongside this request. This is unusual for a login endpoint (you'd normally authenticate to get a token), so this might be a token-refresh request, or the client is re-authenticating while already holding a session.

Q3 — Is this request safe to send over plain HTTP? Why or why not?

No. Even though the URL doesn't reveal the password, the request body contains credentials in plaintext: "password": "hunter2". Without HTTPS, anyone intercepting traffic on the network can read the body verbatim. The Content-Type is application/json, not encrypted — HTTP carries it in the clear. Always use HTTPS for any endpoint that handles credentials or sensitive data.

Q4 — What status code would you expect if login succeeds? If the password is wrong?

Success: 200 OK (with a JWT or session token in the response body). Some APIs return 201 Created if a new session resource is being created.

Wrong credentials: 401 Unauthorized — the client failed to authenticate. The server should not reveal which part was wrong (username vs password), to avoid leaking whether a username exists.

✅ Knowledge Check ~10 min

HSC-style questions. Try to answer each one before expanding — the exam will expect you to write these out in full sentences.

Q1 — A student types https://example.com into their browser. List, in order, the steps that occur before any HTML is received.
  1. Browser checks its DNS cache for example.com's IP address.
  2. If not cached, the OS cache and hosts file are checked.
  3. If still not found, the recursive resolver (ISP or 8.8.8.8) is queried.
  4. The recursive resolver queries the root name servers, then the TLD name server for .com, then the authoritative name server for example.com.
  5. The IP address is returned and cached at each hop with a TTL.
  6. The browser initiates a TCP connection: SYN → SYN-ACK → ACK (three-way handshake).
  7. Because the URL uses HTTPS, a TLS handshake follows: negotiate cipher suite, verify the server's certificate chain, establish a symmetric session key.
  8. The browser sends: GET / HTTP/1.1 with a Host header of example.com.
  9. The server responds with HTTP/1.1 200 OK and the HTML body.
Q2 — Explain the difference between a 401 and a 403 HTTP status code.

401 Unauthorized means the client has not provided valid authentication credentials — you are not logged in, or your token is missing or invalid. The message is: "I don't know who you are; try authenticating."

403 Forbidden means the client is authenticated (the server knows who you are) but you do not have permission to access the requested resource — you are logged in, but your role or access level doesn't cover this endpoint or resource.

The distinction matters for security: returning 403 reveals that the resource exists but is off-limits. Sometimes servers return 404 instead of 403 to avoid disclosing whether a resource exists at all — this is called "security through obscurity" (which you covered in Lesson 10).

Q4 — A developer needs to let a client upload large files to a server. They suggest using FTP. What is the security concern, and what should they use instead?

FTP transmits everything — including usernames and passwords — as plaintext. Anyone on the same network path can intercept the connection and read credentials directly, with no decryption required.

The developer should use SFTP (SSH File Transfer Protocol) instead. SFTP encrypts all data, including credentials, using SSH — so intercepted traffic is ciphertext that cannot be read without the private key.

A common misconception: SFTP is not FTP with TLS bolted on — it is an entirely different protocol built on SSH, and it runs on port 22 (not FTP's ports 20/21).

Q5 — Explain how a digital signature allows a browser to verify that a TLS certificate is genuine.
  1. The CA (Certificate Authority) takes the certificate content and computes its hash value using a hashing algorithm such as SHA-256.
  2. The CA encrypts that hash with its own private key, producing the digital signature.
  3. The browser receives the certificate and its signature. It uses the CA's public key (pre-installed as a trusted root in the OS) to decrypt the signature and recover the original hash.
  4. The browser independently hashes the certificate content it received. If the two hashes match, the certificate is confirmed genuine — it was signed by that CA and has not been tampered with.

If even one byte of the certificate was altered after signing, the hashes would not match and the browser would display a certificate error.

Q3 — Why is HTTPS required even if a website contains no sensitive data?

Even entirely public pages benefit from HTTPS for several reasons:

  1. Content integrity — Without HTTPS, ISPs, café WiFi operators, or anyone on the network path can inject content into pages (advertisements, malicious scripts, cryptocurrency miners). HTTPS ensures the page arrives exactly as the server sent it.
  2. Privacy — Even if the page content isn't sensitive, the pattern of which pages a user visits is. HTTP lets intermediate parties build a profile of browsing habits; HTTPS limits what they can observe to the domain name only.
  3. Trust signals — Browsers label HTTP sites as "Not Secure" in the address bar, which reduces user confidence and can affect search ranking (Google penalises HTTP sites in its ranking algorithm).
← Back to Learning Hub