Define HTTPS. How is it different from HTTP?
HTTPS, or Hypertext Transfer Protocol Secure, is the secure version of HTTP, which is the only primary protocol browsers use to connect to web servers and display web pages to users. HTTPS uses asymmetric encryption to secure the data in transport between the web server and client.
HTTPS is more favorable where privacy is more relevant. These can be situations where we are making online transactions, logging into our bank, or other tasks that would include the usage of sensitive documents.
Websites with an ability to log in or which contains sensitive information should use HTTPS instead of HTTP. Modern browsers such as Chrome, Firefox do not even let users enter a website without HTTPS enabled. If a user tried to open such a website, it might be flagged or warned to the user, or the browser would not let the user open such a website at all.
A green padlock, or simply a padlock, is shown, which signifies the usage of HTTPS. If the website is not using any, it would be flagged, and users may not be able to access such websites.
How HTTPS works?
HTTPS uses Transport Layer Security (TLS)/SSL protocol to encrypt communication between the client and the server. This protocol uses asymmetric encryption to encrypt those communications, which creates private and public keys to secure the communication.
The private key is kept on the server itself and is not shared or visible to unauthorized users. The private key is used to decrypt communication that was encrypted using the public key.
The public key is distributed and available to anyone willing to connect to the server. Information encrypted by the public key can be decrypted only by the private key and vice versa. The public key is also attached to the SSL/TLS certificate so that anyone can confirm the authenticity of the public key and the server they are connecting to.
Why is HTTPS important?
HTTPS provides encryption to the communication between a server and a client. If HTTPS was absent, a malicious user could view the messages being exchanged, which can contain credentials, bank information, or other sensitive data, which can lead to privacy issues or fraud. This data can be easily sniffed using freely available software. This insecure connection can make communication a lot harder in public Wi-Fi or even in-home networks where a sniffer can collect your bank information and other sensitive information, which can cause a catastrophe.
Apart from being vulnerable to MITM attacks, HTTP can also allow intermediaries, such as ISP, to inject content without any approvals. These injections can be in the form of ads or spam, which can harm the experience. HTTPS eliminates the ability to inject content or any other information to the website and protects against attacks such as MITM.
HTTP vs HTTPS
HTTP and HTTPS are not inherently built differently. Both of these protocols are used to display webpages. The only big difference is the encryption used in HTTPS, which is done via TLS/SSL encryption over HTTP. HTTPS also use certificates to ensure the authenticity of the server and also confirms the ownership of the public key that would be used to encrypt the communication.
When the client connects to the server, an SSL certificate is exchanged, containing the public key and other parameters needed for the communication. The client and the server go through an SSL handshake to establish secure communication.