By now, almost every advanced internet user has heard of HTTP. If you are reading this, you have heard about HTTP and the more secure version of it – HTTPS.
So what is HTTPS? If you look at the address bar of your browser right now, notice the padlock icon and the ‘https://’ in your address bar. This means that you are already using HTTPS to transfer data.
However, before you can understand what does HTTPS means and why it matters, you first have to understand the meaning of HTTP.
What is HTTP?
So what is HTTP? HTTP also called HyperText Transfer Protocol is the cornerstone of the internet’s data transfer process through which you can fetch resources such as HTML documents and load web pages. It’s an application layer protocol for making connections between networked devices and enabling information transfer, usually initiated by the receiver.
However, although HTTP is great for information transfer, it has one major flaw – HTTP transmits information in the form of clear text (transparent and unencrypted text) therefore hackers can easily intercept and read your data traffic. Not only that, but it’s also possible for interceptors to alter the transmitted data before the receiver sees it. Because of this, HTTPS was made!
What is HTTPS?
HyperText Transfer Protocol Secure or HTTPS is a secure and encrypted variation of HTTP that only connects through Secure Socket Layer (SSL) or Transport Layer Security (TLS). In other words, HTTPS is HTTP with security features, hence the Secure in HTTPS. It can also be termed HTTP over TLS/SSL.
HTTPS encrypts information being transferred, which is crucial for sensitive information in transit such as login details, personal information, social security number, etc. Without encrypting sensitive or non-sensitive data transmissions, a hacker or eavesdropper could steal this private information and abuse it for their personal gain.
HTTPS was originally only used to secure highly sensitive data such as passwords while other information like what websites you visit, what you view on those websites, how much time spent on the website, what you downloaded, etc. could easily be viewed by third parties for instance hackers, ISPs (internet service providers), and government agencies.
HyperText Transfer Protocol Secure - HTTPS HyperText Transfer Protocol - HTTP
How Does HTTPS Work?
To understand how HTTPS works, you need to know the three motivations for using HTTPS, which are:
These goals are achievable by encrypting HTTP traffic.
HTTPS encryption can be likened to locking a clear text HTTP message inside a box which is then sent over the network. Anyone with a copy of the key can unlock the box and read the message. Without an identical and symmetric key, no one else can unlock the box.
But then a problem arises, how do you share the key over a network with your target while keeping it away from interceptors?
We use a pair of asymmetric keys that work together in tandem. Between the two asymmetric keys, one key is public and can be freely publicized and shared with your friends. Whereas the remaining key is private implying top secret.
The public key is used to lock (encrypt) a message while the private key is used to unlock (decrypt) a message locked by its public counterpart.
So when a friend wants to send you an HTTPS message, they encrypt their message using your public key and send it. You then decrypt and read the message (includes the sender’s public key) using your private key.
After receiving their message, you reply to them with a message similarly locked with their shared public key. They can decrypt the message using their private key. Once both sides have confirmed each other, a secure connection has been established and verified. This is called a handshake.
To identify a website reliably, trustworthy third parties issue SSL certificates which who can vouch for a website’s identity. Organizations like GlobalSign, Let’s Encrypt, VeriSign, etc. all issue these SSL certificates. Without a correct SSL certificate, the padlock icon and HTTPS protocol can’t be activated.
However, any website using HTTPS can obtain an SSL certificate but it doesn’t mean it’s trustworthy. It only means that no interceptor can read your traffic to and from the website.
Why HTTPS is Important?
HTTP broadcasts information in small packets that are unencrypted and can easily be captured (sniffed) and reassembled using software like Wireshark. On the other hand, HTTPS encrypts information before broadcasting which makes it hard for interceptors to decrypt and read your information.
Here is what an eavesdropper can see after ‘sniffing’ an HTTP connection before encryption and after encryption.
|HTTP: Before Encryption||HTTPS: After Encryption|
|May the force be with you.||4d5538535857644b6369346245695541516a456664553853547a5657504735474e4778626433774c5268635546545a504a434946454330415548645763685666435164524a69416355 …|
It’s quite clear that HTTP doesn’t offer any information security whereas HTTPS information appears as gibberish to an attacker. Therefore, if you want to keep your online activities as private as they should be, only use HTTPS encrypted websites and HTTPS enforcing browser extensions like HTTPS Everywhere.
HTTPS prevents man in the middle (MitM) or eavesdropping attacks. HTTPS also blocks attackers from tampering or altering your data in transit.
- Blocks MitM attackers
- Added privacy and security of information
- The identity of the website can be verified
- Better SEO website ranking due to using SEO
HTTP vs HTTPS
Whereas in HTTP, information is transmitted as clear text that can be easily read. HTTPS only transmits information that has been encrypted. In addition, HTTP connections use port 80 by default while HTTPS connections use port 443.
Another difference between HTTP and HTTPS is that operates only at the application layer while HTTPS operates on the transport layer.
HTTPS Meaning – Concluded
There’s no doubt that the internet has come a long way since Sir Tim Berners-Lee first initiated the hypertext transfer protocol (HTTP) in 1989. Since then, the HTTP has gone through several evolutions, some were successful while others not so much.
The HTTPS protocol came about to address the deficiencies of HTTP. HTTPS has its drawbacks like increased cost, reduced web performance, more computing resource usage. However, in the grand scheme of things, the benefits outweigh the drawbacks of using HTTPS.