In your browser’s address bar, the URL of every website you visit always starts with either HTTP or HTTPS, the latter one considered more secure. You might have noticed that numerous times while you were busy with your internet life, didn’t you? Even Facebook with almost a billion daily active users flaunts its status as of a HTTPS website and you confidently post your personal information without giving it a second thought. What if it gets into the wrong hands? Well, you know chances are less such blunder ever happens on the Facebook planet.
So, whether it is Facebook or online payments involving your credit card information, all you want is HTTPS written as the URL. So, why the simple HTTP website isn’t used for online payments or storing your personal data? There is an obvious difference between the two.
What is HTTP?
Hypertext Transfer Protocol it stands for, which your teacher made you learn by heart in your 4th grade. It is a request/response protocol based on the client/server communication mode. A client or user agent is your web browser or any other device which can access, receive, and display web content.
The client sends a request message to a server which hosts HTML content, replies with the response message that may contain the requested HTML content by the client. The response message is a confirmation that the server has successfully received the Request message.
So, HTTP can be considered as a rule book that your web browser refers, like, what to do when you press enter after typing a website address. It is a Stateless protocol which means there is no relation between two consecutive HTTP commands given to a website. Furthermore, there is a list of Status Codes used by the web server to inform your browser if there is any problem. For example, “404 Not Found” is used when the webpage is not present at the URL entered in the browser.
The credit for the original development of HTTP goes to Tim Berners-Lee – who proposed the idea of the ‘World Wide Web’ – and his CERN team, which was developed alongside the HTML (Hypertext Markup Language). The very first HTTP documentation was published in 1991 as HTTP/0.9 which consisted of only one method GET. The development progressed, with HTTP/1.0 in 1996 and HTTP/1.1 in 1997.
HTTP/1.1 facilitated persisted connections (more than one request/response on the same HTTP connection), improved caching, new status code, Enhanced compression support, OPTION method for Cross Origin Resource Sharing in web application and much more.
HTTP uses the reliable TCP (Transmission Control Protocol) Port 80 to send and receive data packets over the network for internet applications like email, World Wide Web, File Transfer, etc. However, it also utilizes UDP (User Datagram Protocol) which is an unreliable protocol but contributes to reduced network latency used for live streaming (not to be confused with preloaded videos on YouTube) which requires continuous packet flow done at the cost of minor packet loss during the transmission.
The latest addition to the family is HTTP/2, developed by Hypertext Transfer Protocol Working Group of the Internet Engineering Task Force. This specification was approved as a Proposed Standard by IESG in February 2015 and was published in May 2015. It has been adopted by all the famous web browsers.
What is HTTPS?
The development of HTTPS began in 1993 by Netscape Communications, an AOL company, who had their famous Netscape Navigator web browser in the 1990s. Originally implemented with SSL (Secure Socket Layer), the HTTPS protocol was later upgraded to use SSL’s newer transformation TLS (Transport Layer Security). It also uses TCP to send/receive the data packets but uses a different Port 443 in order to do so.
The ‘S’ stands for secure in HTTPS. Now, what does it mean in laymen terms? A website which uses HTTPS protocol establishes an encrypted connection with your device. So, if you try to send some data to the website, say any name, like Steve Jobs. The encrypted form will look somewhat like ‘xkndsoumnkjbktkctfc’. And you can’t understand it, do you?
The data to be transmitted is encrypted using a Public Key which is then used by the recipient to decrypt it. The public key is created by a server administrator or a user, which is included in a digital certificate known as SSL Certificate and is signed by certification authorities like VeriSign. Any act which involves sharing of the Public key to unknown devices must be prohibited, as it may compromise the level of encryption, ultimately leading to disclosure of personal information or user credentials.
Most modern web browsers now feature inbuilt support for HTTPS protocol. A web browser integrated with HTTPS protocol requires SSL Certificate signed by certification authorities in order to authenticate a server or a website. You might have seen a green coloured padlock placed before HTTPS in the Google Chrome address bar. Once you click it, the certification authority information of the website will be presented to you.
The HTTPS website you’re visiting must provide a valid certificate to your web browser in order to gain browser’s trust. If it is unable to do so, the browser will display a warning message. So, the website obtains it either for free or after paying some bucks to the certification authorities.
Basically, HTTPS is simply an HTTP connection wrapped in SSL/TLS encryption layer. All done to protect the integrity and privacy of the data being transmitted and the assurance that it won’t fall into wrong hands while in transit. Its main motive is to check the authenticity of the website being visited. An unsecured connection like a public WiFi network might serve as the medium for man-in-the-middle attacks and eavesdropping.
The Difference between HTTP and HTTPS
In a nutshell, HTTPS can be regarded as an advanced modification to HTTP equipped with more security. However, HTTP uses Port number 80 while HTTPS uses Port number 443 by default and that differentiates the two a separate connection types.
The sole intention of HTTP is to display the information on the recipient device without bothering about how the data gets transmitted between two devices. And it is the same for HTTPS, the only advantage is, it packs an extra layer of security by using SSL/TLS which is also utilized by VPNs to encrypt data, thus protecting from eavesdroppers.