Why every organization should know the key differences between HTTP and HTTPS?

Read time: 3 minutes

HTTP and HTTPS are seen everyday when using the Internet, whether you are in the cybersecurity field or not. You have likely seen a URL that looks like this:

https://www.google.com or http://www.fakewebsite.com.

These are vital parts of how searching a URL on the Internet works, but not everyone knows how HTTP and HTTPS work. So what are HTTP and HTTPS, and what is the difference between the two?

What is HTTP?

HTTP, or Hypertext Transfer Protocol, works to transfer data across a network. Data is put into a specified format and syntax to ensure it can be read and transferred correctly. HTTP is set up to send and receive both requests and responses. HTTP requests happen when a hyperlink is clicked, or a website URL is put into the browser. The HTTP request is sent using one of the different HTTP methods to retrieve or send information to a webpage. The webserver, in turn, provides an HTTP POST response, which is an HTTP response, and that gives the user access to the desired webpage.

The majority of web pages do not use HTTP but instead use HTTPS because HTTP is not a secure way to transfer data across a network.

What is HTTPS?

HTTPS, or Hypertext Transfer Protocol Secure, is the more secure way to transfer data between a web browser and a web server, that is why most websites use HTTPS. HTTPS utilizes a TLS/SSL connection to securely transfer data between your web browser and the server of the webpage.

Requests and responses sent with HTTPS are encrypted so that any Man in the Middle attacks that may occur will be thwarted since the data can’t be read. The encryption type HTTPS uses is asymmetric encryption and symmetric encryption. The way asymmetric encryption works is that the requested server generates a public and private key pair and the public key is stored in an SSL certificate. The private key, as the name suggests, is kept private to the webserver.

When an HTTPS connection is made to the web server, the client and server complete a TLS Handshake. This Handshake provides a symmetric session key to the server, which then decrypts the session key with it’s private key. When an encrypted message is received, the message is encrypted by the session key, and the client can decrypt the session key using it’s private key. This allows the message to be encrypted in transit and authenticates that the message encrypted within is from the server, since the key pair is mathematically linked.

Comparing HTTP and HTTPS

Now that we know what HTTP and HTTPS are, let us look at the differences and similarities between the two.

1. HTTP is insecure, whereas HTTPS is secure

   As we talked about in the HTTPS section, HTTPS is extremely secure because of its use of asymmetric encryption for data transferred over the network. Additionally, it requires that both itself and the requestor have a valid TLS/SSL certificate to identify each user and authenticate the messages sent by the user. HTTP, on the other hand, sends messages unencrypted to the requestor. This means attacks such as Man in the Middle Attacks will be successful, allowing the man in the middle to take the information transferred to the server, which could include credit card information or other Personally Identifiable Information (PII).

2. Data sent via ports

   With HTTP, data is sent via port 80, which allows unencrypted data to be sent to requestors. HTTPS instead uses port 443, which allows encrypted communications to occur.

3. OSI Layers and URLS

   One final difference between HTTP and HTTPS is the OSI layer they work in and how URLs are structured. The Open Systems Interconnection (OSI) model is a model that shows the seven different layers that computers communicate through.

   The seven layers are:

   • The Application Layer
   • The Presentation Layer
   • The Session Layer
   • The Transport Layer
   • The Network Layer
   • The Data Link Layer
   • The Physical Layer

Conclusion

Utilizing encryption and digital certificates is important for both connections across the Internet as well as within an organization’s internal network. Security systems like Public Key Infrastructures (PKIs) provide users and devices in an organization with certificates to identify them and allow encryption of messages. To learn how Encryption Consulting can help you with setting up a PKI within your organization, visit our website at www.encryptionconsulting.com.