In this definition...
What is HTTP?
The HyperText Transfer Protocol (HTTP) is the foundation of the World Wide Web. It’s an application layer protocol designed to transfer information between networked devices. Developed by Tim Berners-Lee, HTTP defines how messages are formatted and transmitted and what actions web servers and browsers should take in response to various commands.
When you enter a URL in your browser, this sends an HTTP command to the web server, directing it to fetch and transmit the requested web page. As a request-response protocol, HTTP gives users a way to interact with web resources such as HTML files by transmitting hypertext messages between clients and servers. HTTP clients typically use Transmission Control Protocol connections to communicate with servers.
The diagram below shows the basic architecture of the HTTP.
The HTTP web client sends a request to the server in the form of a request method, URL, protocol version, request modifiers, client info, and possible body content. The HTTP server responds in a status line (as shown above), including the message’s protocol version and a success or error message, such as a 404 message.
What is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure), the secure update of HTTP, uses an authentication process to encrypt the connection between web browsers (or clients) and servers. This process overlays Transport Layer Security (TLS) onto HTTP.
TLS uses symmetric cryptography to transfer data between a browser and a website. This involves a handshake process that verifies the server’s digital certificate, which provides evidence it can provide a reliable public key. A certificate authority verifies that the server is trustworthy by signing their digital certificate. Once the server has been authenticated, it generates a random session key that encrypts the data transfer between server and browser for the duration of the connection or session.
Just like someone’s ID card confirms their identity, a private key confirms server identity. When a user navigates to a website, possession of the private key that matches the public key in the SSL certificate proves that the server is legitimate. This process prevents a number of attacks including man-in-the-middle attacks, DNS hijacking, and domain spoofing.
HTTPS can also include mutual authentication, where the client or user is required to verify their identity as well. This is important when accessing business accounts or files that should only be viewed by specific users. HTTPS has become so important that some browsers, notably Google Chrome, notify users directly if a browser only uses HTTP. Even so, not all websites (even ones that would benefit from extra security) have adopted HTTPS. The protocol is gaining popularity, even among websites that don’t process transactions or sensitive information.
What are the Main Differences Between HTTP and HTTPS?
The main difference between the two protocols is the presence of an SSL certificate. HTTP doesn’t have SSL, while HTTPS does. Here’s some other notable differences:
The original use for HTTPS was for ecommerce transactions, email, and other sensitive data transfers. Because of its superior security over HTTP, it’s become the standard for all websites, is endorsed by Google, and is now a requirement for many new browser features.
HTTP Pros & Cons
There are weightier cons to using HTTP than there are pros, but some key pros of HTTP include:
- HTTP is faster than HTTPS since HTTPS consumes computation power to encrypt the communication channel.
- With file type notification preceding data transmission, the receiving application has the option to download extensions of plug-ins, such as Flash players and PDF document readers.
- HTTP is coded in plain text, so it’s easy for developers to follow and implement. Data is formatted in lines of text instead of strings of variables or fields.
Cons of HTTP that have led users to switched to using HTTPS include:
- HTTP has no ability to regulate the content of data being transmitted over it, which is why http is not secure when transferring sensitive information.
- HTTP relies heavily on DNS, which associates domain names with underlying IP addresses. Malicious parties can deliberately misassociate an IP address-DNS pairing to spoof a DNS. This allows them to divert users from the intended site to a completely different one.
- HTTP doesn’t have a method for clients to discard cached authentication credentials.
- Web browsers like Google Chrome recognize the risks of HTTP websites, and notify users with a “not secure” or “dangerous” message when they visit one, hurting the site’s web traffic.
HTTPS Pros & Cons
HTTPS is safer than HTTP. The main benefits of using HTTPS include authenticating the server, encrypting data transmission, and protecting the exchanges from tampering. Other pros include:
- 84 percent of internet users would abandon a purchase if data was sent over an unsecure connection. Users want to know their information is secure, and using HTTPS allows businesses to encrypt customers’ data.
- Using HTTPS can increase search rankings on Google.
- Sites running on HTTP will have a redirect in place, meaning if a user types “HTTP://”, it will redirect to HTTPS over a secure connection.
- Those wanting to use Accelerated Mobile Pages (AMP) have to use HTTPS. AMP was created by Google as a way to load content onto mobile devices at a faster rate than without it.
There are few limitations with HTTPS, but those cons are:
- HTTPS can’t stop confidential information from being stolen from pages cached on the browser.
- SSL data can be encrypted only during transmission of the network, meaning it can’t clear the text in the browser memory.
- HTTPS can increase computational overhead as well as organizational network overhead.
How to switch from HTTP to HTTPS
For those running or building a website, follow these steps to switch from using HTTP to HTTPS.
- Buy an SSL certificate. Almost all website hosting platforms sell SSL certificates.
- Configure hosting with SSL certificate. The web hosting platform can correctly install and activate the certificate to ensure its proper function.
- Change all website links to HTTPS. A mix of HTTP and HTTPS URLS will confuse readers and lead to possible penalties from search engine algorithms.
- Set up 301 redirects. A 301 redirect notifies search engines that your site needs to be crawled and indexed.