Http or HyperText Transfer Protocol is one of the most common protocols in use today. Almost all the websites you visit use HTTP protocol. You can find which protocol is in use in the URL. Some websites show the HTTP protocol in their website’s address like http://domainname.com. while some don’t because http is default protocol. But there are times when you see ‘https’ in the URL of some websites. This is when you’re signing in into some account or paying some bills. In this post, we will see what is difference between HTTP and HTTPS and when and why these protocols are used.
What is HTTP?
HTTP is a protocol or a set of rules that an application follows while transmitting and receiving data. It is bound by those rules and will always work in that same way. Almost every normal website you visit uses HTTP protocol to send data across the internet to the server. The information being sent from the user’s machine t goes via a bunch of routers to the server. This is pretty normal when you’re just surfing webpages. But if you want to sign in into your bank account or your official e-mail account or say Gmail/Facebook account, if you use HTTP protocol your information will go through various routers.
The problem arises on the possibility of a router being compromised. If any user has access to one of these routers through which our data is passing by or if one of them is compromised, anyone can easily get your data. This means if you insert your Credit Card number and it goes through a compromised router, another user or an attacker has your credit card information. It is like sending someone something openly through public transport. Any guy who has access to it can see whatever is passing by.
This is why companies like Google, Facebook, Amazon, Dropbox and various e-commerce and data storage websites doesn’t use HTTP protocol. They go for HTTPS, which is an enhanced and secure version of HTTP protocol. Where as normal day-to-day websites use HTTP protocol since they’re not sending or receiving any sensitive data.
What is HTTPS?
HTTPS in like a better version of HTTP protocol, one the provides the much-needed security to your data while transmitting it over the internet. HTTPS protocol encrypts your data with a key that only a server has and hence only it can decrypt it. So even if routers are compromised or someone is sniffing over your network, they will only get garbled texts which can be decrypted using the key server possesses. Hence you can say transfer any data, your login information, credit card information, anything over the internet and it’ll reach the server without any damage.
HTTPS uses a SSL protocol, which helps in the encryption and decryption of data. When you enter any website using a HTTPS protocol, the browser first initializes a TCP connection on port 443 of the server. Once the connection is successful, it starts a SSL handshake.
- The client first sends all it’s details the server in a Client Hello message. It consists of the current SSL version, ciphers it can use for encryption and random data.
- The server responds with a Server Hello message consisting of the SSL version it’ll use, cipher it’ll use, session id and ciphers it will use. It also sends some random data.
Server then sends its digital certificate, which has a public key in it.
Finally server then sends a Server Hello done message to tell the user server has given all the information.
- The browser sends a certificate verify message to tell it has successfully verified the certificate. It then proceeds to send a Change Cipher Spec command telling the server all the incoming data will be encrypted and then sends a finish message. It has a digest pointing out all the conversation between the client and server.
The server also sends a Change Cipher Spec message acknowledging the type of encryption they’ll use and a digest message consisting of their conversations.
This all happens within a few milliseconds and you get a webpage with HTTPS protocol.
Users trust companies like Facebook, Google, Microsoft, Amazon, Dropbox and E-Commerce websites with their information. Websites are responsible for sending the data securely to the server. This is all these companies use HTTPS protocol. Ordinary websites can use HTTPS but they don’t need to, since they’re sending requests for pages and posts and hardly take any personal information like username, passwords, address, Credit Card details from the users. Hence many websites use HTTP but when it comes to storing user data or transactions, companies switch to HTTPS protocols for better security.