Difference between HTTP & HTTPS?

What is HTTP?

HTTP is an abbreviation for Hypertext Transfer Protocol. It is a protocol that allows a client and server to communicate with other websites. When you type HTTP:// in front of a domain in your browser’s address bar, it instructs the browser to connect via HTTP. HTTP sends and receives data packets over the web using TCP (Transmission Control Protocol), typically over port 80. After the TCP handshake, the client sends a request message to an HTTP server that hosts a website; the server responds with a response message. The completion status information, such as HTTP/1.1 200 OK, is included in the response message.

Define HTTP request, and how does it function?

HTTP messages are classified into two types: requests and responses. As a user interacts with web properties, user’s browser generates HTTP requests. When a user clicks on a hyperlink, the browser sends a series of “HTTP GET” requests for the content on that page. These HTTP requests are routed to either an origin server or a proxy caching server, which generates an HTTP response. HTTP responses are the responses to HTTP requests.

HTTP requests and responses are sent in plaintext across the Internet. The issue is that anyone who is watching the connection can read the plaintexts. This is especially problematic when users submit sensitive information through a website or a web application. This could be a password, credit card information, or any other information entered a form. A malicious actor can simply read the text in the request or response to determine what information someone is requesting, sending, or receiving, and even manipulate the communication.

HTTPS is the solution to the above-mentioned security issue.

What is HTTPS?

HTTPS is an abbreviation for Hypertext Transfer Protocol Secure (also referred to as HTTP over TLS or HTTP over SSL). HTTPS encrypts HTTP requests and responses with TLS (or SSL), so instead of plaintext, an attacker sees a series of seemingly random characters.

Transparent Transport Layer Security (TLS) uses public key encryption, which requires two keys: a public key and a private key. The server’s SSL certificate distributes the public key to client devices. A Certificate Authority (CA) cryptographically signs the certificates, and each browser has a list of CAs that it implicitly trusts. Because it has been proven to be “trusted” and belongs to that domain, any certificate signed by a CA on the trusted list is given a green padlock lock in the browser’s address bar. Companies such as Let’s Encrypt have now made the process of obtaining SSL/TLS certificates completely free.

When a client connects to a server, each machine requires a verified identity. As a result, the two devices use the public and private keys to agree on new keys, known as session keys, to encrypt future communications. All HTTP requests and responses are then encrypted with these session keys, allowing anyone who intercepts communications to see only a random string of characters rather than the plaintext.

In addition to encrypting communication, HTTPS is used to authenticate the two communicating parties. Authentication is the process of confirming that a person or machine is who they claim to be. There is no identity verification in HTTP; it is based on a trust principle. However, on today’s Internet, authentication is required.

A private key confirms server identity in the same way that an ID card confirms a person’s identity. When a client establishes a channel with an origin server (for example, when a user navigates to a website), possession of the private key that corresponds to the public key in the SSL certificate of the website proves that the server is the legitimate host of the website. This prevents or aids in the prevention of a variety of attacks that are possible in the absence of authentication, such as Man-in-the-middle attacks, DNS hijacking, and domain spoofing.

Difference between HTTP & HTTPS?