HTTP vs HTTPS


The Basics

HTTP

Security is now increasingly important as better online experiences now involve trusted third parties and good encryption. A basic understanding of how this works is knowing the difference between HTTP and HTTPS.

Hypertext Transfer Protocol (HTTP) is the system used for sending and receiving information across the internet. It's what is known as an "application layer protocol" so its main focus is on how information is presented to the user. This option doesn't care how data gets from point A to point B and it is also "stateless" which means that it doesn't remember anything about the previous web session. There is a benefit to being stateless which is that there is less data to send meaning there is increased speed. 

The most common use for HTTP is to access HTML pages, which are the backbone of the websites we visit on the internet. However, it is important to remember that other resources can be accessed and utilized through HTTP as well. In fact, this is the most common way that websites that do not house confidential information (such as credit cards and/or usernames and passwords) are setup.

HTTPS

Secure Hypertext Transfer Protocol (HTTPS) is for all intents and purposes, a similar system used for sending and receiving information across the the internet, it's just the secure version. The protocol was developed to allow for secure authorization and transactions. We don't want malicious actors gaining access to the private information we are creating and HTTPS adds an extra layer of security to that exchange of confidential information. That extra layer is made possible because it uses a Secure Socket Layer/Transport Layer Security (SSL/TLS) to move data back and forth. Neither protocol cares how the data gets to its destination although HTTP cares about what the data looks like whereas HTTPS does not.

Google actually prefers websites are encrypted with HTTPS because of that guarantee of extra security. When a business owner, developer, or webmaster goes through the motions of obtaining a certificate, the issuer then becomes a trusted third party. The information in the certificate is used to verify that site is what it claims to be and finally the user/customer that knows the difference between HTTP and HTTPS can by buy with confidence, giving electronic commerce more credibility. For anyone maintaining a site with heavy traffic, Google and the other search engines will put priority on sites with security and keep them boosted in the rankings as long as the multitude of other SEO related work follows their guidelines.

More Detail

Data sent using HTTPS is secured using via the Transport Layer Socket protocol (TLS) which provides three important layers of protection: 

  1. Data Integrity - Data that cannot be modified or corrupted during transfer without being detected.
  2. Encryption - Encrypting the exchange data to keep it secure.
  3. Authentication - Proves that the sites users/customers communicate with the intended site.

These three layers are the main motivation behind the HTTPS protocol and help prevent against eaves dropping and tampering with the communicated content via man-in-the-middle (MITM) attacks. 

How do browsers know who to trust?

Browsers come pre-installed with certificate authorities, meaning they know who to trust. Likewise, the browser software is trusting those authorities will provide valid certificates. A user/customer should be able to trust an HTTPS connection provided the following are all true:

  • Trust that the browser software correctly implements HTTPS with the correct pre-installed certificates.
  • Trust that the certificate authority will vouch only for legitimate websites.
  • The website provides a valid certificate signed by a trusted authority.
  • The certificate correctly identifies the website.
  • The user/customer trusts the protocols encryption layer (SSL/TLS) is secure against eavesdroppers.

It is becoming increasingly important to use HTTPs over insecure networks such as public WIFI since anyone one the same local network can discover sensitive information using packet sniffing. The same goes for using WLAN networks which can engage in packet injection to serve their own ads on webpages. Doing this can be exploited in many ways such as injecting malware onto those webpages to steal users' data and private information.

The case for using HTTPS on your own websites

With each day it seems we learn that more and more information about global mass surveillance and data being stolen by malicious actors. Because of this, the strongest case to use HTTPS is that you are making your website more secure. There are however limits to using HTTPS as it is not 100% secure. It will not prevent your website from getting hacked or stop phishing emails getting sent either. It's importance is in the fact that if you have users/customers that are logging in with sensitive information (such as passwords, social security, etc.), then setting up HTTPS is the absolute minimum price and precaution that should be taken in order to protect them. And with security, you will build trust.



You can make sure that the author wrote this post by copy-pasting this signature into this Keybase page and decrypt it for proof.