In this definition...
The HyperText Transfer Protocol (HTTP) is the foundation of the World Wide Web. It’s an application layer protocol designed to transfer information between networked devices. Developed by Tim Berners-Lee, HTTP defines how messages are formatted and transmitted and what actions web servers and browsers should take in response to various commands.
When you enter a URL in your browser, this sends an HTTP command to the web server, directing it to fetch and transmit the requested web page. As a request-response protocol, HTTP gives users a way to interact with web resources such as HTML files by transmitting hypertext messages between clients and servers. HTTP clients typically use Transmission Control Protocol connections to communicate with servers.
The diagram below shows the basic architecture of the HTTP.
The HTTP web client sends a request to the server in the form of a request method, URL, protocol version, request modifiers, client info, and possible body content. The HTTP server responds in a status line (as shown above), including the message’s protocol version and a success or error message, such as a 404 message.
HTTPS (Hypertext Transfer Protocol Secure), the secure update of HTTP, uses an authentication process to encrypt the connection between web browsers (or clients) and servers. This process overlays Transport Layer Security (TLS) onto HTTP.
TLS uses symmetric cryptography to transfer data between a browser and a website. This involves a handshake process that verifies the server’s digital certificate, which provides evidence it can provide a reliable public key. A certificate authority verifies that the server is trustworthy by signing their digital certificate. Once the server has been authenticated, it generates a random session key that encrypts the data transfer between server and browser for the duration of the connection or session.
Just like someone’s ID card confirms their identity, a private key confirms server identity. When a user navigates to a website, possession of the private key that matches the public key in the SSL certificate proves that the server is legitimate. This process prevents a number of attacks including man-in-the-middle attacks, DNS hijacking, and domain spoofing.
HTTPS can also include mutual authentication, where the client or user is required to verify their identity as well. This is important when accessing business accounts or files that should only be viewed by specific users. HTTPS has become so important that some browsers, notably Google Chrome, notify users directly if a browser only uses HTTP. Even so, not all websites (even ones that would benefit from extra security) have adopted HTTPS. The protocol is gaining popularity, even among websites that don’t process transactions or sensitive information.
The main difference between the two protocols is the presence of an SSL certificate. HTTP doesn’t have SSL, while HTTPS does. Here’s some other notable differences:
The original use for HTTPS was for ecommerce transactions, email, and other sensitive data transfers. Because of its superior security over HTTP, it’s become the standard for all websites, is endorsed by Google, and is now a requirement for many new browser features.
There are weightier cons to using HTTP than there are pros, but some key pros of HTTP include:
Cons of HTTP that have led users to switched to using HTTPS include:
HTTPS is safer than HTTP. The main benefits of using HTTPS include authenticating the server, encrypting data transmission, and protecting the exchanges from tampering. Other pros include:
There are few limitations with HTTPS, but those cons are:
For those running or building a website, follow these steps to switch from using HTTP to HTTPS.