Alex - stock.adobe.com
HTTP vs. HTTPS: What's the difference?
HTTP and HTTPS are web communication protocols. HTTP lacks security, while HTTPS encrypts data to adhere to the security standards of confidentiality, integrity and authenticity.
From holiday shopping to fantasy football to remote system administration, web-based communications are undoubtedly critical. These transmissions are all based around Hypertext Transfer Protocol, a relatively old communications standard.
Today, many people check for the more secure HTTP Secure (HTTPS) protocol indicator in their browsers. But fewer understand the differences between the two protocols and how HTTPS helps protect web communications.
What's the difference between HTTP vs. HTTPS?
HTTP and HTTPS are network protocols that facilitate communication between web browsers and servers to create a web connection. Before differentiating between HTTP and HTTPS, let's first learn how web connections work to understand the roles HTTP and HTTPS play in establishing them.
A web connection is essentially a file transfer. The web server stores files that web browsers interpret and format for users. The files include text, scripts, images and other resources. When a browser connects to a website, it requests to download the files that make up the site.
HTTP uses a request method named GET, which the server receives and interprets as a read-only request to copy the website files. Client systems also use the POST method to upload and write files to the web server.
When HTTP transfers data with these methods, it doesn't encrypt the data. This can pose risks that undermine the security concepts of confidentiality, integrity and authenticity:
- Confidentiality. Content should only be available to authorized users.
- Integrity. Content shouldn't change. If an alteration occurs, IT teams must be able to identify it.
- Authenticity. IT teams should be able to pinpoint from where content originates, which indicates its source and establishes nonrepudiation.
HTTP doesn't address these concepts. HTTPS does, however, which is where the differences between the two protocols begin. While the two are largely the same, HTTPS includes certificates that ensure authentic, confidential and tamper-free communications.
How does HTTP work?
Standard web browsing relies on HTTP, which is an application layer protocol that establishes the connection used to transfer website files from a server to a client. The files contain text and images that use HTML for formatting instructions.
Security was less of a concern in the early days of the web because users were merely browsing webpages. More security concerns exist now that have made HTTP plaintext data transfers unsuitable for day-to-day browsing.
HTTP does not mitigate several web browsing risks, including the following:
- Server authentication. The web server's identity is not authenticated, which means a user could inadvertently download malicious files from web servers with fake identities.
- Website file interception. Malicious actors could intercept and view the files that make up the requested website, which violates the user's privacy.
- Website or webpage tampering. Malicious actors could change the files that make up the requested website, which enables them to provide the user with fake and potentially dangerous information.
- GET requests exposing data. The browser's GET request could expose confidential user information.
- Web-based administrative tools revealing sensitive information. Many sys admins rely on web-based utilities to manage servers, routers, cloud resources and other devices, which makes it essential to secure them.
These weaknesses make HTTP a risky choice today. User data is more vulnerable to confidentiality and integrity attacks that could lead to serious consequences.
How does HTTPS differ from HTTP?
As the name suggests, HTTP Secure extends HTTP's functionality with security. HTTPS adds encryption to various parts of the transmission process. The general concept of HTTPS remains the same: A web client downloads the files that make up the website from the web server. However, the process includes several additional layers that enhance security.
Before web files are available under HTTPS, a website must have a certificate issued by a certificate authority. Public CAs charge a fee to guarantee the site's identity with these certificates. Private CA servers can also identify internal resources.
Before CAs issue a certificate, they first confirm the organization's identity. CAs look at information such as domain ownership and business details. CAs also manage the certificate's lifecycle, such as requests, renewals, revocations and expirations.
Various protocols work with the certificate and cryptography methods. HTTPS uses the Transport Layer Security protocol to handle encryption. TLS evolved from the older Secure Sockets Layer protocol. Other application layer protocols, like SMTP, might also use TLS.
HTTPS encryption relies on symmetric and asymmetric cryptography concepts:
- Symmetric cryptography. One key encrypts and decrypts data, which makes for a quicker process but at a greater risk of key exposure.
- Asymmetric cryptography. Two keys exist: one public and one private. If data is encrypted with one key, it must be decrypted with the other. Because the private key is never exposed on the network, asymmetric cryptography is more secure, but it's a slower process.
The certificate is based on a public and private key pair that identifies the server. The private key remains on the server, while the public key is stored in the certificate and available to web clients. Remember, data encrypted with one key can only be decrypted with the other.
Clients download the website's digital certificate during the initial HTTPS connection and use its data to verify the web server's identity. The browser generates a symmetric session key that it encrypts with the server's public key and sends to the web server.
The web server decrypts the session key with its private key. This enables the client device and web server to exchange the session key securely. From this point forward, the session key encrypts all web communications.
This process addresses HTTP's weaknesses, including the following:
- Server authentication. The client device queries the CA to verify the server's identity.
- Confidential data interception. The session key protects data confidentiality.
- Data tampering. The session key protects data integrity.
- Data exposure in the GET method. The session key protects data exposure.
- Secure remote administration. This process enables secure administration using web-based connections.
CAs guarantee an organization's identity and issue a digital certificate containing the organization's public key. Web clients download the certificate and use the information contained within it to verify the web server's identity and begin negotiating for a symmetric session key.
Switch from HTTP to HTTPS
Web server administrators typically rely on HTTPS for their sites. Its benefits almost always outweigh the cost, additional configuration and administrative overhead.
HTTPS' ability to provide confidentiality, data integrity and authenticity makes it critical to any privacy-oriented web transactions, such as banking, remote administration, healthcare and more. Even network administrators who host small, static sites might want to consider redirecting their sites from HTTP to HTTPS to ensure visitors receive the correct data.
Those who want to enforce HTTPS communications should begin by installing a web certificate from a reputable CA. The web server software offers ways to integrate HTTPS and certificates. Network administrators might also need to manage their firewall configurations, as HTTP uses TCP port 80, while HTTPS relies on TCP port 443.
Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial, The New Stack and CompTIA Blogs.