Difference HTTPS vs. HTTP? Why is HTTP not secure?

Difference HTTPS vs. HTTP? Why is HTTP not secure?
Do you pay attention to how the URL of the website begins?

Any web page is stored on a server, a computer that is permanently connected to the Internet. When you follow a link or enter a domain name in the address bar, the browser finds the desired server and downloads the page content. The same happens when you enter your account username and password on the site and click “Login.” The browser sends that details to the server. The server checks the data and sends the browser a page with the account open. This is how the browser and the server exchange data when you play a video on YouTube, go to Facebook, open an email or enter your bank card data to pay for online purchases. Some data is constantly being transmitted in different directions. You may have noticed that some links start with HTTP and others with HTTPS. Now we will explain what these letters mean and how they differ from each other.

What is HTTP?

HTTP is a widespread data transfer protocol designed initially to transmit hypertext documents (that is, documents that can contain links that allow navigation to other documents). It was invented in 1990, along with HTML, to create the first interactive text-based web browser: the original World Wide Web. However, today, the protocol remains one of the primary uses of the Internet. But HTTP has a major drawback – it’s inherently insecure because it doesn’t use encryption. This allowed a hacker to view all the content. In addition, HTTP is unacceptable for businesses because it risks customers’ personal information. With HTTP, the identity of the client and server is not verified, they can be spoofed, and the integrity of the message cannot be proven.

Difference HTTPS vs. HTTP? Why is HTTP not secure?
If you get to an unsecured website, the browser will warn you

What Does HTTP stand for?

HTTP stands for HyperText Transfer Protocol. According to the OSI specification, it is an application layer seven protocol, and the current version of the protocol, HTTP 1.1, is described in RFC 2616. When you open a web page using HTTP, your web browser uses the Hypertext Transfer Protocol (on port 80) to request the page from a web server. When the server receives the request, it uses the same protocol to send the page back to you. This protocol is the basis for large, feature-rich systems with multiple inputs, such as the Internet. Without this foundation of communication processes, the Internet as we know it could not function because links require HTTP to work correctly. However, HTTP sends and receives data as plain text. This means that when you’re on a website using HTTP, anyone listening on the network can see everything that is transmitted between your browser and the server. This includes passwords, messages, files, and other things that should not be seen by a third party.

What is an HTTP request and HTTP response?

When a user interacts with web resources, HTTP requests are generated by the user’s browser. For example, if a user clicks a hyperlink, the browser will send a series of “HTTP GET” requests for the content displayed on that page. These HTTP requests are sent either to the source server or a caching proxy server, and that server generates an HTTP response. HTTP responses are responses to HTTP requests.

Difference HTTPS vs. HTTP? Why is HTTP not secure?
This is how the connection between the web browser and the server

What does a HTTP request look like?

Usually, an HTTP request is a set of lines of text corresponding to the HTTP protocol. For example, a GET request can look like this:

GET /hello.txt HTTP/1.1
User-Agent: curl/7.63.0 libcurl/7.63.0 OpenSSL/1.1.l zlib/1.2.11
Host: www.example.com
Accept-Language: en

This is a part of text generated by a browser, which is sent over the Internet. The main problem is that it is shipped precisely as plain text, which can be read by anyone monitoring the connection. This is especially essential when users send sensitive data via a Web site or Web application. That way, passwords, credit card numbers, or any other data entered into the form are sent in clear text, making them available to others. (When the user submits the form, the browser converts it to an HTTP POST request instead of an HTTP GET request.)

When the server receives the HTTP request, it sends an HTTP response, which usually looks like this:

HTTP/1.1 200 OK
Date: Wed, 30 Jan 2021 12:14:39 GMT
Server: Apache
Last-Modified: Mon, 28 Jan 2021 11:17:01 GMT
Accept-Ranges: bytes
Content-Length: 12
Vary: Accept-Encoding
Content-Type: text/plain

Hello World!

As mentioned earlier, if a website uses HTTP instead of HTTPS, all of these requests and responses can be read by anyone. Therefore, an attacker can read the text in a request or response and thus know what information someone is requesting, sending, or receiving.

What is HTTPS?

HTTPS is similar to HTTP, with the critical difference being that it is secure. The Secure Hypertext Transfer Protocol uses SSL (Secure Sockets Layer) or TLS (Transport Layer Security), which packs and transfers data between your browser and the server in a secure, encrypted tunnel over port 443. Unlike HTTP, this method makes it very difficult for packet sniffers to decrypt.

What Does HTTPS Mean?

S in HTTPS stands for “secure”. Because HTTPS uses TLS or SSL to encrypt HTTP requests and responses, an attacker will see a set of random characters instead of text in the above example.

Instead of the above:

GET /hello.txt HTTP/1.1
User-Agent: curl/7.63.0 libcurl/7.63.0 OpenSSL/1.1.l zlib/1.2.11
Host: www.example.com
Accept-Language: en

The attacker sees the following:

t8Fw6T8UV81pQfyhDkhebuz7+oiwldr1j2gHBB3L3RFTRsQCpaSnSBZ78Vme+DpDVJPvZdZUZHpzbqcqmSW1+3xXGsERHg9YDmpYk0VVDiRvw1H5miNieJeJ/FNUjgH0BmVRWpI6+T4MnDwmCMZUI/orxP3HGwYCSIvyS3MpmmSe4iaWKCOHQ==

So what are TLS and SSL in online security? Although TLS is the successor to SSL, you may still hear HTTPS referred to as HTTP over SSL. A website needs an SSL certificate to ensure the security of user data. It also confirms ownership of the website, prevents intruders from creating a fake version of the site, and gains users’ trust. TLS and SSL are especially useful when shopping online. They keep financial data secure and are used on any website that requires sensitive data such as passwords, personal information, and payment details).

Another significant advantage of HTTPS is that it is much faster, which helps web pages load faster. So, since HTTPS is already considered secure, there is no need to do data scanning or filtering, which reduces the amount of data transferred. The easiest way to find out if the website you are on is using HTTPS or not is to look for the padlock icon to the left of the URL.

Difference HTTPS vs. HTTP? Why is HTTP not secure?
If you see this, then your connection is secure

How does TLS/SSL encrypt HTTP requests and responses?

TLS uses a technology called public-key cryptography. There are two public and private keys, and the public key is sent to the client devices via the server’s SSL certificate. After the client opens a connection to the server, the two devices use the public and private keys to negotiate new keys, called session keys, to encrypt further communications between them. Further, all HTTP requests and responses are encrypted with these session keys, so anyone intercepting the messages can only see a random string of characters instead of the plaintext.

How does HTTPS help authenticate web servers?

HTTP has no identity verification based on the principle of trust. Authentication means verifying that a person or machine is who they say they are. Although the architects of HTTP didn’t decide to trust all web servers implicitly, they had other priorities than security at the time. In today’s Internet, however, authentication is essential. Just as an ID verifies a person’s identity, a private key verifies a server’s identity. When a client opens a channel with the originating server (for example, when a user goes to a website), possessing a private key that matches the public key in a website’s SSL certificate proves that the server is the legitimate website host. This prevents or helps block many possible attacks without authentication, such as On-path attacks, DNS hijacking, BGP hijacking, and domain spoofing. In addition, an SSL certificate is digitally signed by the certificate authority that issued it. This ensures that the server is whom it says it is.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

1 comment

Leave a comment

Your email address will not be published. Required fields are marked *