<P> HTTP is not encrypted and is vulnerable to man - in - the - middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information, and modify webpages to inject malware or advertisements . HTTPS is designed to withstand such attacks and is considered secure against them (with the exception of older, deprecated versions of SSL). </P> <P> HTTP operates at the highest layer of the TCP / IP model, the Application layer; as does the TLS security protocol (operating as a lower sublayer of the same layer), which encrypts an HTTP message prior to transmission and decrypts a message upon arrival . Strictly speaking, HTTPS is not a separate protocol, but refers to use of ordinary HTTP over an encrypted SSL / TLS connection . </P> <P> Everything in the HTTPS message is encrypted, including the headers, and the request / response load . With the exception of the possible CCA cryptographic attack described in the limitations section below, the attacker can only know that a connection is taking place between the two parties and their domain names and IP addresses . </P> <P> To prepare a web server to accept HTTPS connections, the administrator must create a public key certificate for the web server . This certificate must be signed by a trusted certificate authority for the web browser to accept it without warning . The authority certifies that the certificate holder is the operator of the web server that presents it . Web browsers are generally distributed with a list of signing certificates of major certificate authorities so that they can verify certificates signed by them . </P>

What two types of information are encrypted by the https protocol (choose two.)