What's the Difference Between HTTP and HTTPS? Things You Need to Know to Stay Secure Online
Mozilla Firefox users might have stumbled upon cases when they try to enter some text into an online form and they see a box saying: 'The connection is not secure. Logins entered here could be compromised.' When Google Chrome users go to these websites, they see a 'Not secure' message in the address bar. What's all this about?
The more observant among you probably know that some URLs start with "http://" and others with "https://". You might have also noticed that when the site is loading under HTTPS, you see a green padlock symbol next to the address of the website. This green padlock is really important, and we'll now explain why.
What is HTTP?
HTTP stands for Hypertext Transfer Protocol, and without it, you wouldn't be reading this. HTTP facilitates the transfer of text, images and other media between your computer and the server hosting the website you're visiting. Browsing the internet without this protocol would be a very different experience.
When Tim Berners-Lee created HTTP in 1989, the Internet wasn't exactly ubiquitous. Few people had access to it, and the online pioneers didn't see why anyone would want to steal information that was traveling between computers. Things, as you probably know, have changed quite a bit since then.
HTTPS and its importance
As the internet grew, more and more bad people started taking an interest in the ever-increasing amount of information that was flying around, and the so-called Man-In-The-Middle (MITM) attack was born. As the name suggests, during a MITM attack, a person inserts themselves between the user's computer and the website's server and sniffs through the flowing data. That way, the crook can steal passwords and tamper with what the user sends and receives.
It soon became apparent that the approach towards sending sensitive information over the Internet should change, and that's how HTTPS, or HTTP Secure, was born. HTTPS is an extension of HTTP rather than a different protocol. It serves a couple of main purposes:
- Encrypting your data.Encryption is at the heart of HTTPS. It initially relied on the Secure Socket Layer (SSL) cryptographic protocol, but it later switched to SSL's more secure successor, Transport Layer Security (TLS). Here's how it works in simple terms.As soon as you establish an HTTPS connection, your browser and the server hosting the website first perform the so-called "handshake" during which, using an asymmetric cipher, they securely exchange session-specific data and the cryptographic key that will be used for the encryption of the information. From then on, every bit of data that is sent to and from your computer is unreadable to anyone but you and the server.As a result, while a hacker could theoretically intercept your online banking login credentials, they'll have no idea what your username and passwords look like. Similarly, they won't be able to capture and modify any data that the bank is sending to your PC.
- Assuring you that you are at the right place.The purpose of HTTPS isn't just to turn your data into an unreadable mess of characters. To serve your website under an HTTPS connection, you need to have an SSL certificate (even though SSL was ditched a while ago, the name has stuck). These certificates are issued by the so-called Certificate Authorities (or CAs), and the idea is that they're only given to legitimate websites. Some established online portals like PayPal have gone for Extended Validation (EV) certificates which will display the name of the website owner. Although security experts reckon that they bring no extra value, before issuing an EV certificate, CAs take additional steps to ensure that the certified entity is trustworthy.The idea of regular and EV certificates is to let the user know that the website they're visiting is not malicious.
When you're surfing the net, you want to be sure that you're always at the right website, which, in this day and age, isn't as easy as it may appear. With so many nosy hackers lurking around every corner, you also want to be confident that the data you send is not visible to ill-intentioned people. In theory, HTTPS answers both questions. In reality, we still need to be vigilant.
HTTPS adoption and the problems that come with it
For years, security experts were urging website operators to switch over to HTTPS, but their calls were falling on deaf ears, and the reason was simple – money. SSL certificates were rather expensive and were mostly bought by e-commerce websites. Things changed two and a bit years ago when a new Certificate Authority called Let's Encrypt emerged. Unlike the rest of the CAs, Let's Encrypt offers SSL certificates for free, and the process is also completely automated which means that adopting HTTPS takes just a few minutes and exactly $0.
The problem with this is, serving websites over a secure connection is now simpler for both legitimate online businesses, and criminals. As a result, experts have been seeing more and more phishing pages with SSL certificates. And this means that the green padlock can no longer be considered a reliable indicator of a trustworthy, secure web page. Nevertheless, the fact that the number of HTTPS websites has increased is a good thing. Better still, it'll probably continue to increase.
The SEO performance of websites served over an insecure connection is said to be lower, and soon, Google Chrome will label all HTTP websites as "Not secure", not just the ones that have a login form on them. In other words, HTTPS is becoming the norm, not the exception. If we want a safer World Wide Web, this is a very important step.