One of the biggest indicators of a suspicious or unsecured website is whether or not the site is HTTPS-secured. In many cases, spoofed, phishing, malicious, or typosquatted websites use HTTP instead of HTTPS, which has encryption and verification protocols built in to ensure safe data transmission between servers and browsers.
The main difference between HTTPS and HTTP is that HTTPS establishes a secure internet connection via encryption, whereas HTTP does not. HTTPS provides a useful layer of security that keeps user data safe in a world increasingly at risk of cyber attacks and data loss.
Large organizations may find setting up and maintaining SSL (Secure Socket Layer) a burden, but the benefits of building stronger relationships with customers, protecting data privacy, and reducing the risk of a data breach or other cyber attack far outweigh the challenges. SSL/TLS security is not unbeatable, but it is constantly evolving to provide security against hackers.
This article will explore the key differences between HTTP and HTTPS protocols, how each protocol functions, and review several cybersecurity concepts to help users better understand why HTTPS is important.
How Does HTTP Work?
HTTP stands for Hypertext Transfer Protocol. The term hypertext was coined by Ted Nelson in the 1960s to refer to a text on an electronic device that has immediately-accessible references to other texts. The references are the typically-blue hyperlinks, normally activated by pressing a mouse button, touching a screen, or pressing one or more keys.
In general, a protocol is an agreed way of communicating. If someone extends their hand, someone might shake it. If someone raises their hand, you might give them a high-five or allow them to ask a question, depending on the context. Most people understand that those actions have expected, socially agreed-upon responses.
In networking, a protocol can be defined as standardized rules pertaining to the formatting and processing of data. In a similar way to how human protocols help people communicate with each other, network protocols facilitate computer-to-computer communication.
HTTP is one of many network protocols. To understand the HTTP protocol, it’s useful to look at it in the context of other protocols and the internet as a whole.
The most common and recognizable internet protocols include the following:
- Transmission Control Protocol (TCP) — This protocol divides messages into packets sent from the source to a destination, where they are reassembled.
- Internet Protocol (IP) — Mostly used with TCP, IP addresses help each packet reach its destination.
- User Datagram Protocol (UDP) –- This is an alternative to TCP, mostly used for linking between applications.
- Post Office Protocol (POP) — This (POP3) protocol is designed for receiving emails.
- Simple Mail Transport Protocol (SMTP) - SMTP helps send secure emails.
- File Transfer Protocol (FTP) — FTP facilitates the transfer of various files from one machine to another.
- Hyper Text Transfer Protocol Secure (HTTPS) — This more secure version of HTTP secures communication between two machines. Data is encrypted and verified so that any entity accessing packets between the browser and the web server will not be able to interpret the data.
- Telnet — Telnet is the protocol for remote logins, where a local computer requests a connection with a remote computer.
- Gopher — Like HTTP, the gopher protocol works on the client-server principle. It helps search, retrieve, and display documents from isolated sites.
These protocols operate at various layers of the internet. Thinking about the internet in terms of layers helps IT professionals and others describe, troubleshoot, and protect networks.
Following the Open Systems Interconnection (OSI) model, the national standard adopted in 1984, the internet can be described as having seven layers. While this concept of layers is a useful guide, other interpretations and descriptions exist.
When representing these layers, it’s helpful to start with the application layer, where humans interact with devices. The seven layers agreed upon by OSI are as follows:
Layer Seven: The Application Layer
This is where humans interact with computers, such as via email clients and browsers. Applications access network services here.
Most people interact with the internet via the World Wide Web, the interconnected system of documents and resources accessible via web browsers and other programs. The World Wide Web exists on the application layer, and HTTP is an application layer protocol.
Layer Six: The Presentation Layer
Here, data is prepared for the application layer so that it arrives in a usable format. And it’s prepared for transmission over layer five, the session layer. It’s where data encryption and compression take place.
Layer Five: The Transport Layer
Transmission protocols such as TCP and UDP apply here. It controls transmission speed according to the connection speed of the receiving device. It chops up data transferred in the session layer and puts it back together at the receiving end. SSL operates between the transport layer and the application layer.
The transport layer also defines 65,000+ ports, the virtual points where connections start or end. Thus, it helps organize network traffic. For example, emails and webpages use different ports. HTTP messages use port number 80. Network services that use HTTPS encryption use port number 443.
Layer Four: The Session Layer
This layer is about maintaining connections and controlling ports and sessions, so they are open while data is being sent and then closed afterward.
Layer Three: The Network Layer
The physical path taken by data is determined here. It takes segments and further divides them into packets. Like the Transport Layer, it is responsible for reassembly at the receiving end. It discovers the best path across a physical network and uses network addresses - usually (IP) addresses - to direct packets.
Layer Two: The Data Link Layer
Here, the format of the network data is defined. It connects and disconnects a network’s physical nodes, performs error checking, and defines permissions for transmitting and receiving data.
Layer One: The Physical Layer
At this layer, raw bits (1s and 0s) are transmitted over the physical medium. It’s about the cables and wireless connections. Someone failing to plug in their device causes a common layer one network error.
When people use devices to transmit data, it flows from the application layer (layer seven) through the layers to the physical layer (layer one) and vice versa.
How Does HTTPS Work?
The S in HTTPS (Hypertext Transfer Protocol Secure) signifies a secure connection. Users can see when a connection is secure by the appearance of this S after HTTP and an image of a locked padlock in the URL bar, which may appear slightly different across different web browsers. If a connection is not secure, users can expect a warning sign, such as a red or open padlock, a warning triangle, or a line that goes through the URL in the address bar.
To make communications more secure, HTTPS works between the application layer and the transport layer. It is like HTTP except that it uses Transport Layer Security (TLS) to provide a secure channel from beginning to end. HTTPS is sometimes known as “HTTP over TLS.”
The secure connection verifies that the sender is talking to the intended server. It also encrypts and decrypts requests and responses so that only the intended recipient can read the message. If a hacker managed to intercept the message en route, such as a man-in-the-middle (MITM) attack, the encryption would make it unreadable and near impossible to decipher. Additionally, the intercepting hacker wouldn’t be able to modify transmissions either.
While many refer to TLS and SSL interchangeably for secure data transfer, SSL was deprecated in 1999 and replaced with TLS 1.0 the same year. Since then, there have been several upgrades. TLS 1.2 and TLS 1.3 are the most common, but TLS 1.3 is among the most secure protocols for high-end encryption. Still, IT professionals and other computer users refer to SSL when discussing secure, encrypted connections using HTTPS.
How HTTPS Security is Achieved
A secure connection is established via a “handshake.” This ensures that the client is talking to the intended server. It may also ensure that the server is receiving from the correct client.
Various kinds of handshakes exist. For HTTPS, the handshake can be described in the following three stages:
SSL/TLS Handshake Stage One
The initial contact from the client contains the information the server needs to connect to the client securely via SSL. This data includes the cipher suites that may be used and the maximum SSL version supported. The server responds with, among other things, a decision based on the client’s cipher suites and maximum version data.
The client and server agree on which keys will be required for the algorithm. It will be a symmetric algorithm, meaning that a single key randomly generated by the client is used for encryption and decryption. The process that achieves this agreement, however, involves an asymmetric algorithm, which necessitates the server’s public and private keys.
SSL/TLS Handshake Stage Two
Once the client and server agree on a “cipher suite” and which encryption algorithm to use, the server proves its identity to the client using an SSL certificate. In situations involving very sensitive data, the server may require a digital certificate from the client.
An SSL certificate is essentially a digital document attesting to the user’s identity, backed up with a digital signature. Browsers come with lists of trusted SSL certificates from Certificate Authorities (CA) pre-installed, including certificates controlled by organizations like Symantec and GoDaddy. Only a Certificate Authority (CA) can attach its valid digital signature to a certificate - verifying that the certificate holder can be trusted - because it does so using private key encryption.
Browsers also have lists of compromised and otherwise untrustworthy certificates, updated via the Certificate Revocation List (CRL). These cause errors that discourage or prohibit further user interaction. This is one reason that it is helpful for users to update their browsers regularly.
An SSL certificate includes the following:
- The owner’s name
- The domain name or other property to which it is attached
- The public key
- Dates of validity
- Who or which organization/device was the certificate issued to
- Which Certificate Authority issued the certificate
- The Certificate Authority’s digital signature
SSL/TLS Handshake Stage Three
The client sends its encrypted key to the server using the agreed algorithm and the server’s public key, which is on its SSL certificate. The server uses its private key to decrypt the client’s key.
At this handshake stage, both parties are satisfied regarding their identities and how to communicate securely. They send HTTPS requests and responses via plaintext messages that the sender encrypts and the receiver decrypts using their agreed decryption key that only they know. A cybercriminal could intercept the transmission, but they couldn’t decrypt it without the original private decryption key.
What’s the Difference Between HTTP vs HTTPS?
The main benefit of using HTTPS over HTTP - both as a user and a website owner - is that it is more secure. HTTPS is critical when you wish to transfer data securely, including the following:
- Credit card information
- Payment, address, and order details on e-commerce sites
- Usernames and passwords to login to online services
- Personally identifiable information (PII), including name, date of birth, address
- Sensitive information, such as confidential business information or governmental data
- Protected health information (PHI) and other sensitive medical records
Using HTTPS can help avoid MITM attacks, a kind of attack that is directed towards unsecured networks, such as an unencrypted Wi-Fi access point that requires no authentication. Such an attack circumvents authentication for the sender and receiver. TLS, however, requires authentication for at least one of the parties, making these attacks impossible.
People are typically advised not to use public Wi-Fi networks - such as those in coffee shops and airports - if they wish to keep their communications secure. Doing so can increase the risk of a data breach or cyber attack.
However, anything sent over HTTPS is encrypted. So even if a threat actor is watching the user data change hands, it will be secure as long as there is a secure TLS connection, as signified by HTTPS and the padlock icon.
Even so, using unsecured Wi-Fi networks presents a potential risk. It’s essential to ensure that the TLS connection is consistent. Each page involving entering, transmitting, or storing personal information must begin with HTTPS. If in doubt, users should wait until they can access a secure network.
Search Engine Optimization (SEO) Advantages
HTTPS offers search engine optimization (SEO) advantages. In 2014, Google stated that website security was a top priority. To make the internet safer, Google promoted implementing HTTPS everywhere and began using HTTPS as a ranking signal.
Over time, it altered its algorithm to strengthen how much importance it placed on data security. Whether or not a website collects personal information, Google favors sites that use secure connections over those that use only HTTP.
Since 2017, browsers, such as Google Chrome, have decided to improve trust online by requiring that all sites feature encryption via HTTPS. Sites that fail to do this normally generate warnings for the users.
An HTTPS URL, therefore, can boost a site’s performance in search rankings, while non-secure sites are penalized. An SSL certificate is just one part of a larger SEO strategy, but it’s still an important factor.
Things to Consider When Implementing HTTPS Protocols
The primary cons of HTTPS are that implementing SSL security costs more than HTTP, and it can be challenging for smaller organizations to implement. Other issues are as follows:
- Implementing HTTPS can result in extra financial and resource costs
- It may cause configuration issues with plugins
- Implementing TLS can cause a temporary loss of traffic
To achieve SSL connections, websites require SSL certificates. Three validation levels exist.
- Domain validation, which provides only encryption
- Organization validation, which provides light business authentication and encryption
- Extended validation, which provides full business authentication and encryption
Several other kinds of certificates exist as well:
- Single domain certificates
- Multi-domain certificates
- Wildcard certificates (used for securing one domain and unlimited sub-domains associated with it)
- Multi-domain wildcard certificates(includes unlimited, associated sub-domains)
Some SSL certificates can be obtained free of charge. Others cost hundreds of dollars per year, depending on their security level and the site’s needs. The most expensive SSL certificate can approach $2,500 per year for five years. However, paid certificates provide better cybersecurity liability protection in the event of a data breach. They also offer more user-friendly renewal options and may provide configuration assistance.
When a business has one or more SSL certificates, it takes time to configure them. While a simple domain validation certificate might take a few minutes to start working, an extended validation certificate may take several days.
Renewing certificates can also be time-consuming. Cheaper or free certificates can be more labor-intensive than more expensive options. The Certificate Authority/Browser Forum recommends that SSL certificates should last for 27 months before they require renewal. In 2020, Google, Mozilla, and Apple pushed for one-year SSL certificates.
This took effect in September 2020 and ensures that authentication information is revalidated regularly to be up to date, which is good for security, but an additional burden on a business or its IT team, particularly for enterprise-level organizations, potentially necessitating the use of certificate management software.
HTTPS is Slower than HTTP
The requirement for encryption and authentication makes using HTTPS websites slower than those that don’t, but the difference between the two is minimal. The lag of using TLS/SSL is imperceptible to most users unless:
- The client computer or web server has slow processor speeds
- Visitor traffic is very high
- The internet connection is slow
In many cases, using HTTPS exclusively results in no significant performance loss for users, as demonstrated by Google, which uses secure connections for search, Gmail, and Drive.
Loss of Traffic
Implementing SSL/TSL can lead to a drop in traffic because it is advisable to remove and re-add the site on Google’s Webmaster Tools for faster implementation. Doing so causes the site to be reindexed, temporarily removing it from previous search rankings.
However, this process can cause a drop in search traffic for a short amount of time. It may be wise to time TLS implementation carefully to avoid losing out on high-traffic times (i.e. holidays for consumer businesses).
Some sites may not function as planned once TLS has been implemented. This may be because older plugins might have configuration issues with the newer TLS technology. The older the website, the more likely this is to be an issue. Updating, repairing, or removing the plugin might fix the problem.