Casual users rarely notice them, but HTTP (or, http://) and HTTPS (https://) are both options for the start of a URL, showcasing an important difference in all those web pages you visit on a daily basis. Consider this your first lesson if you’re interested in learning more about internet security.
What is HTTP?
HTTP is an acronym for Hypertext Transfer Protocol, an application layer protocol created by Tim Berners-Lee. The protocol provides standard communication rules between web servers and clients.
HTTP is also called “a stateless system”, which means that it enables connection on demand. You click on a link, requesting a connection, and your web browser sends this request to the server, which responds by opening the page. The quicker the connection is, the faster the data is presented to you.
HTTP focuses on the information, but cares less about the way this information travels from one to another. It means that HTTP can be intercepted and potentially altered, making both the information and the information receiver vulnerable.
What is HTTPS?
The first thing you need to know: HTTPS is not the opposite of HTTP, they are essentially the same, in that both of them refer to the same “hypertext transfer protocol” that enables requested web data to be presented to you.
In a nutshell, HTTPS is HTTP with encryption and “S” stands for Secure. It is run using Transport Layer Security (TLS) and Secure Sockets Layer (SSL) certificates which provide identity authentication to the Web server, and establish an encrypted channel between the Web server and the browser.
Why is HTTPS important?
The site with SSL certificate will activate HTTPS protocol and encrypt the transmitted data (such as user names, ID card OR passwords) sent over the Internet from being got and intercepted by third parties. At the same time, HTTPS establishes a secure communication between the Web server and the browser.
The website starting with “https://” usually is authenticated by Certificate Authority who issues a trusted SSL certificate after verifying the site’s identity. By doing so, a website installed SSL certificate can protect visitors from phishing, and let customers be confident to do business with you.
As more and more websites implement HTTPS over time, it has become a symbol of security. To compliant with the modern security guideline, search engines, like Google, treat the use of HTTPS as a factor of website search ranking. As a result, if your site displays HTTP, it may be not competitive in search results over these sites with HTTPS.
Google will mark HTTP sites with a red triangle and show "not secure" in red. Many people may feel uneasy when they see the tag on the sites, so more and more users are specifically looking for secure connections when visiting sites. Secure connections reassure customers and tell them that site is trustworthy and information is safe.
How difficult is it to attack HTTPS?
Attacks on HTTPS connections generally fall into 3 categories:
- Compromising the quality of the HTTPS connection, through cryptanalysis or other protocol weaknesses.
- Compromising the client computer, such as by installing a malicious root certificate into the system or browser trust store.
- Obtaining a “rogue” certificate trusted by major browsers, generally by manipulating or compromising a certificate authority.
These are all possible, but for most attackers they are very hard to break an HTTPS encryption and also require huge cost. What’s the important is that they are all targeted attacks, and are not feasible to execute against any user connecting to any website.
On the contrary, plain HTTP connections are able to easily intercept and alter by anyone, especially for cybercriminals. The most common one is Man in the Middle Attacks, which are massively carried out at less expense.
Differences between HTTP and HTTPS
Based on the above introduction to HTTP and HTTPS, the following table summarizes the main differences between them.
FAQs about HTTP and HTTPS
1. Which is safer HTTP or HTTPS?
There is no doubt that HTTPS is more secure. HTTPS means that the identity of the server has been authenticated and that there is a secure connection with data encryption on any transferred information.
2. Which is faster HTTP or HTTPS?
In most ways, HTTP is faster than HTTPS. Because HTTP doesn't require SSL certificates, meaning that there is no additional validation step. There are no requirements for identity authentication, or encryption in HTTP connection progress.
However, HTTPS connections require an SSL handshake before transmitting any information. By this handshake step, the communication between clients and servers become private and the third party cannot read the data. Although the step adds very little time, the delay impacts insignificantly.
3. Is Google HTTP or HTTPS?
In 2014, Google first announced HTTPS as a ranking factor used to measure search engine optimization (SEO). In July 2018, Google started marking all HTTP sites as not secure. Besides, Firefox 83 version releases an "HTTPS -Only" option. With more websites moving to HTTPS, more browsers are planning to make HTTPS as the default option.
4. What is the difference between SSL and HTTPS?
The SSL certificates are the products that you actually buy and install on the server. HTTPS is the result of having SSL certificates. When you implement HTTPS connection, your URL will start with “https://” in the address bar.
5. Can you use both HTTP and HTTPS?
Yes, you can utilize both HTTP and HTTPS. Leveraging both protocols to serve content is called “mixed content”. Note that: most browsers are beginning to block websites with mixed content. With Google advocating for HTTPS, you're better choose the secure version — HTTPS.
6. Do I need a VPN if I use HTTPS?
It's not necessary but it is more secure to use both. If you want to ensure your internet access is secure and private, use HTTPS and a VPN. HTTPS gives you end-to-end encryption, and a VPN encrypts data from your computer to the VPN server.
HTTPS in the future
"As a community I feel we've done a lot of good in this area, explaining why everybody should use HTTPS," said Ivan Ristic, the author of a book, Bulletproof SSL and TLS. "Especially browsers, with their indicators and constant improvements, are compelling companies to switch."
Therefore, go ahead and make the move to HTTPS. It's well worth the investment.
However, don't expect HTTPS to be the final answer to data transfer protocols online. Nowadays, HTTPS stands above HTTP but one day it may be enhanced or replaced by another protocol. The Internet is evolving so fast that you never know what attack is going to happen next. What we should do is to try our best to provide the most secure network environment for customers.
Comments