In short, HTTPS is the same protocol as HTTP but with encryption and verification. HTTPS uses TLS to encrypt ordinary HTTP requests and responses and digitally sign them. This means, of course, that HTTPS is more secure than HTTP.
The URL of a website will indicate whether it is using HTTP or HTTPS, as the URL will start with either http:// or https://.
What is HTTP?
HTTP is an abbreviation for Hypertext Transfer Protocol, which is a protocol or specific order of presentation of information that is used to send information or communication over the Internet. The vast majority of information, including website content and API requests, that is sent over the Internet uses the HTTP protocol.
There are two types of HTTP messages:
- HTTP requests are generated by the user's browser as the user interacts with a website. For example, when the user clicks on a hyperlink, the browser sends a series of HTTP requests to the content of the web page to obtain the information needed to access the page. HTTP requests are sent to either an origin server or a proxy caching server, which will generate an HTTP response.
- as mentioned, HTTP responses are responses to HTTP requests.
Why HTTP is insecure
An HTTP request consists of a series of text lines that follow the HTTP protocol. These text lines are generated by the user's browser and are sent over the Internet. However, the problem with HTTP is that this text is written in plain, readable text, i.e. not in code, which means that anyone monitoring the connection can read it. In fact, only basic knowledge of the HTTP protocol is required to understand its syntax.
This becomes particularly problematic when users enter sensitive information on web pages or web apps. This could be a password, payment card details, or other sensitive information entered into a form. This is because when a user submits a completed form, the information is translated into an HTTP POST request by the browser.
When an origin server receives an HTTP request, it sends back a similar HTTP response.
In short, all HTTP requests and responses can be read by anyone monitoring the connection. This means that a cybercriminal could potentially follow and intercept sensitive information, which he could then use for further malicious activity.
What is HTTPS?
The S in HTTPS stands for 'secure'. As mentioned, HTTPS uses Transport Layer Security (TLS) to encrypt HTTP requests and responses. This means that requests and responses do not consist of plain, readable text, but rather a series of random characters.
Because of TLS, a possible observer of the communication or connection can only see this string of random characters. This is achieved by the public key cryptography used in TLS, where a public and a private key are used to create a session key, which ensures the encryption of the communication between two parties.
In addition, HTTPS also authenticates web servers - unlike HTTP. This means that HTTPS verifies the identity of people or machines involved in communication. In fact, a private key verifies the identity of a server, just like an ID card verifies the identity of a person. When a user connects to a web page, the private key matches the public key in the page's TLS certificate, thus confirming that the server is legitimate.
This can prevent a number of cyber attacks from taking place that are not possible with HTTP, such as MitM attack, DNS hijacking and domain spoofing, for example.
Use of HTTP and HTTPS respectively
It may seem pointless why HTTP is used when it is known that this type of connection is not secure. But the advantage of HTTP is that it has a higher speed than HTTPS.
HTTP is an obvious choice for web pages that deal with information consumption, for example, including blogs. This is because on such websites the user typically does not enter sensitive information.
HTTPS, on the other hand, is ideal for websites that involve the communication and transfer of sensitive information, such as payment card and bank details or passwords.
Therefore, we also recommend that you always check for HTTPS connections when entering and sending sensitive information. You can easily see this by looking for the padlock icon in your browser, which is an indication that the connection is encrypted with TLS and that you are therefore using a secure HTTPS connection.
Now you hopefully know what to look for when doing awareness training.
Emilie Hartmann is a student and copywriter at Moxso, where she is a language nerd and always on the lookout for new and exciting topics to write about. She is currently doing her Master's in English, where she is primarily working in the fields of Creative Writing and Digital Humanities.View all posts by Emilie Hartmann