Each time you visit a website in your browser, you can see that the prefix in front of the actual address is not always the same. Some URLs use the HTTP protocol (http://) and others use the HTTPS protocol (https://). Even your browser will acknowledge this difference by displaying a warning sign next to websites that use HTTP or a padlock next to HTTPS. Have you ever wondered what do these prefixes represent and what is the difference between them? Well, it’s more than just the letter ‘s’ and this guide will be a great lesson about internet security for beginners.
HTTP vs. HTTPS – Content Index
So, are you ready to dig a little deeper into what makes HTTP and HTTPS so different? Here’s everything you need to know.
Lesson One: What is HTTP?
HTTP is an abbreviation for HyperText Transfer Protocol. It’s the foundation of data transfer and communication of the World Wide Web. Funnily enough, in 2019, CERN introduced both the World Wide Web and the HTTP protocol.
The funny thing here is that CERN stands for European Organization for Nuclear Research (Conseil Européen pour la Recherche Nucléaire). Why did CERN decide to invent the World Wide Web when it is so far from the area they study and research?
Well, Tim Berners-Lee, a British scientist working at CERN wanted to develop an automated way of sharing information between scientists working around the world. The Internet was already a thing which connected millions of computers. However, the idea was to organize it using the following three technologies:
- HTML (HyperText Markup Language): The formatting language for the World Wide Web which provides a way to structure documents intended to be displayed in the browser.
- URL (Uniform Resource Identifier): An address that is unique to a resource on the web.
- HTTP (HyperText Transfer Protocol): Based upon hyperlinks which can link to other resources on the web simply by clicking it in your web browser.
And How Does It Work?
Being the first protocol on the web, it’s is the simplest one, as it allows you (the user) to fetch a website or other services online. How? It does that in 5 simple steps:
- You send an HTTP request to open access to a URL
- A web server receives your request
- The server does everything necessary to process your request
- An HTTP response is sent back to your browser
- You receive the response
The key aspect of HTTP is that it works on demand. This protocol couldn’t care less about how the data flows between you and the server. Its only task is to complete the five steps above as quickly as possible (depending on your internet connection, as well as the server speed/load and Internet congestions.
The 7 Protocol Layers – What’s That?
Before we can explain it further, we need to do a quick networking lesson in protocol layers. Most networks are structured in layers. Each layer has its unique function and they can be arranged from top to bottom based on how the communication takes place on your computer.
The International Organization for Standardization (ISO) introduced the Open Systems Interconnection (OSI) model that uses structured layers. There are seven of them so let’s check them out in a table from top to bottom with a short description:
Layer number | Name | Short Description |
7 | Application | Handles how data is used in the correct application |
6 | Presentation | Makes sure that data’s format and presentation is in the proper form |
5 | Session | Manages how connections are opened and closed between participating computers |
4 | Transport | Oversees data during its transport between nodes |
3 | Network | Addresses data delivery between different networks |
2 | Data Link | Defines how the data is transferred using the network medium |
1 | Physical | Regulates the characteristics of the hardware involved |
HTTP and TCP: What’s the Connection?
HTTP uses TCP (Transmission Control Protocol) to send and receive packets. But wait, what does TCP have to do with HTTP? They both sound like they are doing the same thing. Well, TCP is a transport layer protocol that explains how data will travel between two computers.
Its main task is to transfer data whereas HTTP makes sure the data goes to the correct application and presented in the required form. This is the case because HTTP is an application protocol. To visualize, HTTP deals with the final destination of data being sent and TCP is in charge of its journey.
Everything mentioned above makes HTTP vulnerable to data interceptions and a need for a more secure protocol was born.
An “S” Comes Into Play – Enter HTTPS
HTTPS (HyperText Transfer Protocol Secure) is a younger brother, a newer version of HTTP. You’ve probably already guessed that the letter ‘s’ stands for Secure. It’s the secure version of HTTP which Netscape Communications launched back in 1994 for its Navigator web browser. It’s more advanced than HTTP and it’s much, much more secure!
When you try to connect to a website using HTTP, there won’t be any encryption present to protect your data, and anyone who eavesdrops the communication channel can read everything you sent along with the request. This can compromise the client (you) in so many different ways.
Let’s say that you want to purchase something online and you just entered the required information about your credit card. Anyone listening in on the connection might see all numbers and other data you just entered. Also, they can know what the data represents and boom! You’ve just been a victim of online theft!
How does it work? Well, it operates on the transport layer, unlike HTTP which operates at the application level. HTTPS’s core is in its use of an encryption protocol called Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL).
A New Player in Town – TLS
Well, you can now notice the second notable difference as the TCP protocol was used in HTTP instead. TLS is a cryptographic protocol that provides secure communication between two nodes in a network, and it’s widely used for every sensitive and non-sensitive online transmission of data.
Aside from HTTPS, TLS is widely used for instant messaging, e-mail, and VoIP (Voice over Internet Protocol). It uses port 443.
How Does HTTPS Work
The use of an asymmetric public key infrastructure secures the communication. To visualize this infrastructure, the following terms have to be present:
- Cryptography: It’s a method of using mathematics to store and transfer data in a way where the said data can only be understood and processed by the participants of the connection (sender and receiver).
- Encryption: The process of using cryptography to create data illegible to everyone besides the communication’s participants is called encryption.
- Decryption: It’s just the opposite of encryption. The data transforms into a legible state using cryptography.
- Key: A key is a piece of information known by the sender and/or receiver which is used to perform the encryption or the decryption. Also, it will be the keyword in the discussion which will follow.
We mentioned that TLS uses an asymmetric public key infrastructure. Before we jump into that, let’s see just what does symmetric encryption looks like:
- There is only one secret key to encrypt and decrypt data. Both the sender and the receiver know about this key and its content. It can be a string of numbers, letters, and virtually anything; depending on the type of encryption used.
- The main setback is that the key also needs to be exchanged before the communication takes place for both parties to have access to it. This gives eavesdroppers a chance to intercept the key and use it to decrypt the information you are exchanging.
Asymmetric Encryption?
Asymmetric encryption is relatively new and it revolutionized cryptography as a science. Let’s see what it brings:
- There are two keys. The encryption key (public key) is available to everyone. It sends the message. However, the decryption key (secret key) is kept “secret” which ensures that the message can only be read by the intended receiver.
- The setback here is a bit different. For symmetric encryption, the key can be anything and it’s usually a 128/256-bit long string. For asymmetric encryption, there must be a mathematical relationship between the two keys. This gives attackers fewer options to try out and that is why asymmetric keys are significantly longer (usually 2048-bit long).
Wow, this trip to the field of Cryptography brings out a whole new world hidden behind simple website visits we visit every day. What’s even more interesting is that it’s 100% based on mathematics or, more specifically, a branch of mathematics that studies whole numbers and its properties: discrete mathematics.
The HTTPS Route
Let’s see what happens when you try to visit a website that uses the HTTPS protocol.
- Your browser sends a query to the website’s server and a TLS handshake occurs.
- A TLS handshake is a process that occurs at the start of a communication session based upon the TLS encryption. During the handshake, the client (your browser) and the server (of the website you are visiting) do the following:
- They agree on the version of TLS they will use (1.0, 1.2, 1.3, etc)
- Settle on which cipher suites to use
- The identity of the server is authenticated using the server’s public key and its SSL certificate
- They create session keys to use for symmetric encryption after the handshake is complete
- The communication continues with the generated session keys
Since we learned about symmetric and asymmetric encryption above, we now know that only the TLS handshake uses asymmetric encryption to settle on the key to use for symmetric encryption. Using asymmetric encryption all the time would take a significant amount of time.
The chance of anyone finding out about the key used for symmetric encryption is low since it was agreed upon during the asymmetric encryption process.
You might have noticed that the talk about HTTPS as a protocol without the security part is much shorter than the one about HTTP.
This is no accident since HTTP is not a different protocol. In its core, it’s the same protocol but instead of using the insecure TCP protocol, it uses TLS. Still, many differences come out of this change so let’s check them out!
Certificates Explained
SSL Certificates are data files that digitally bind a cryptographic key to an organization’s details. Once the company installs it on a web server, it will activate the HTTPS protocol, show a padlock next to the website, and allows secure connections from a web server to the browser.
Most notably, organizations use SSL to secure credit card transactions, logins, and of course, data transfers. However, recently, one of the most important websites that use SSL are social media sites nowadays.
This particular kind of cryptography consists of two keys which are long strings of randomly generated numbers. As mentioned above, these keys are the private key and public key. But you might still ask yourself this: Why do I need an SSL Certificate. Here’s why:
- Secure the data between servers.
- Increase Google ranking.
- Enhance customer’s trust.
- Better conversion rates.
SSL Certificates need to be issued from a trusted Certificate Authority. Browsers, operating systems, and mobile devices maintain a list of trusted CA root certificates. Is there a particular one? No. There are plenty of Authorities out there and they all share a particular part on the market. Let me give you a better look:
- Comodo (45.5%)
- Segtigo (21.9%)
- RapidSSL (15.1%)
- Thawte (9.9%)
- GeoTrust (7,2%)
HTTP vs HTTPS – A Short Summary
I know that I’ve provided you with everything about HTTP and HTTPS, but I’ve also provided you with a short comprehensive summary.
HTTP | HTTPS | |
Encrypted | No | Yes |
Port | 80 | 443 |
Relies on | TCP | TLS |
Layer of operation | Application layer | Application Layer |
Certificates | Not required | Required (SSL) |
URL | Starts with https:// | Starts with https:// |
Browsers promote it | No | Yes |
Speed | Faster | Slower (When it Comes to Downloads) |
We have already discussed most of the differences mentioned above. When it comes to browser supporting one protocol or another, the message is clear: use HTTPS! Visiting a website using HTTP will display a “not secure” warning next to the URL.
Google announced this in July 2018 for their Google Chrome browser. If Googe’s search engine itself favors HTTPS over HTTP, it’s natural to expect website owners to slowly switch to HTTPS completely since they don’t want to lose their website ranking.
HTTPS is used as the default protocol by 54.7% of all websites on the Internet and that number is rapidly increasing. For instance, the same percentage in August 2018 (a year ago as of writing this article) was around 37%.
HTTP vs. HTTPS – Final Words
HTTP being faster than HTTPS is kind of obvious as HTTPS is an upgrade that brought encryption. Encrypting and decrypting the data as well as requesting the website’s SSL certificate takes time. It all comes to easy access vs. security and the choice is up to every website owner. How helpful was this guide? Did you get everything you came for? Let me know in the comments below.