HTTP vs HTTPS: What is the difference between HTTP & HTTPS protocols?

Looking at the hypertext transfer protocol and how SSL/TLS secures it

Do you know the difference between HTTP and HTTPS? Aside from the fact that you’re probably used to seeing those letters at the start of some URLs, many people have no idea what HTTP and HTTPS are or how they affect their security on the internet.

And that’s a problem. One that cybercriminals readily exploit to their own personal gain. So let’s take a look at the HTTP and HTTPS and talk about how they play into your own personal cybersecurity.

What is HTTP?

HTTP is the acronym for Hypertext Transfer Protocol. To understand what HTTP is and does you have to start by understanding a little bit about how the internet functions on a technical level. Don’t worry, this isn’t going to be a PHD-level explanation, we’ll give the abridged version.

The internet is not like a series of tubes, as former US Senator Ted Stevens once famously said. Really, it’s more of a series of connections between various devices like computers and servers. When you visit a website what’s really happening is your web browser – which acts as the vehicle that lets you travel the internet – is making a connection to the web server that hosts the site you want to visit.

Now, websites don’t exist on the server like they show up in your browser. As you probably know, websites are coded using HTML or Hypertext Markup Language. When a connection is made with the server, the website is sent as packets of data via HTTP, the Hypertext Transfer Protocol, and your web browser uses that data to display the website as it was intended.

HTTP has been the standard communication protocol pretty much since the internet was developed. All data that is sent, whether it’s a website sending data to a browser about how to display it or a browser sending a customer’s financial data back to a website to complete a transaction – and a whole range of communications in between – are sent via HTTP.

The Problem with HTTP

HTTP has one glaring issue. Now, given the way the internet has evolved since HTTP was first developed, it’s an understandable oversight. But HTTP is woefully unsecure. Not insecure – HTTP doesn’t wander around seeking constant validation from the other protocols – but unsecure, meaning that it leaves the data being transmitted at risk.

Communication via HTTP is sent out in the open. Meaning that a third party can easily intercept the data being transmitted, which can lead to data theft, man-in-the-middle attacks and third-party content injection.

Nobody wants that.

This is where SSL/TLS comes into play. SSL or Secure Socket Layers is a protocol that encrypts communication. SSL was first developed by Netscape and has gone through a number of iterations as it has evolved. After version 3.0, it was succeeded by TLS or Transport Layer Security. We are now on TLS version 1.3, but many in and out of the cybersecurity industry still colloquially refer to it as SSL.

SSL/TLS is sold in the form of digital certificates. These are installed on web servers and sent to browsers when a connection is made. The browser quickly verifies that the certificate is valid and then the two negotiate an encrypted connection, where they exchange what are called session keys.

Session keys allow each party to encrypt and decrypt communication. In order for a third party to steal or manipulate the data being transmitted, that third party would need a session key—otherwise the data is jumbled and useless. This is an example of symmetric encryption.

So, What is HTTPS?

HTTPS is really just HTTP with TLS (HTTP + TLS = HTTPS). When you see HTTPS in the address bar of your browser it means all communication with this website will be encrypted. Now, a word of caution: that doesn’t necessarily mean you’re safe. Just because your connection is encrypted doesn’t mean you know who is on the other end of the connection. But seeing HTTPS does indeed mean that your connection is secure.

Fortunately, the browsers understand that many people don’t understand what HTTP and HTTPS mean or what they are, so they have created visual indicators to help users understand connection security.

When a website has HTTPS, you typically see one of two visual indicators. The first is the new “Secure” label. Currently, Chrome is the only browser to have adopted this, but Firefox is soon to follow and the other browsers usually get in line once Google and Mozilla have acted.

This indicator also features a padlock icon and you can see “https” in green font at the front of the URL.

Then there’s the green address bar. This puts the name of the company or organization that owns the website into the address bar along with the country of origin and a padlock icon. In years past the green address bar was actually green. Now it’s just a green font. But the effect is still the same.

Pay attention to these indicators, they let you know when a website is being served via HTTPS.

Why HTTP is Dying

HTTP isn’t really dying, per se. It’s just being forced to evolve. As we mentioned earlier, the browsers are basically our de facto vehicle for getting around the internet. The vast majority of us could not use the internet without a browser. And that puts the browsers in position to influence the internet as they see fit.

Right now, they’re mandating SSL. The initiative began a few years ago with a soft push. Google announced HTTPS would become a ranking factor for SEO, then the browsers started making new features exclusive to sites with SSL. Gradually they incentivized encryption more and more.

Now they’ve flipped to penalizing sites without SSL.

It all ties into the security indicators we discussed in the last section. Sites with HTTPS are marked “Secure.” What about sites without it? They’re being marked “Not Secure.” It started with just web pages that contained unencrypted login screens, soon it will spread to all pages served over HTTP.

Having your website labeled “Not Secure” is akin to trying to run a deli that has a notice from the city health inspector permanently posted on its front window. Until you get that thing off, business is really going to suffer.

So, we’ll end this explanation of HTTP vs. HTTPS with a bit of advice. If an HTTPS migration wasn’t already on your agenda for 2017—it should be.