SSLTrust

Why is HTTP not secure?HTTP vs HTTPS

HTTP is a data transfer protocol; HTTPS is the secure version that encrypts data.


Learning Objectives

After reading this article you will be able to:

  • Understand the main difference between HTTP and HTTPS
  • Know why data encryption is important in HTTPS
  • Recognise the risks of HTTP

Learning Center

View more resources on cyber security, encryption and the internet.

HTTP vs HTTPS: What’s the Difference?

HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) are protocols for data communication between a client (usually a web browser) and a web server. They do the same job—transfer data—but are very different in security, encryption and authentication. Here’s a breakdown:

Security and Encryption

  • HTTP sends data in plain text. This means any data sent between the browser and server is unencrypted and can be intercepted by third parties, making it vulnerable to MITM and eavesdropping.
  • HTTPS uses SSL/TLS to encrypt the data. Encryption means that even if the data is intercepted, it can’t be read without the decryption key, so the communication is much more secure.
A secure website compared to a not secure website

Authentication

  • HTTP doesn’t verify the server. Users have no way of knowing if the server they are communicating with is there alone, so attackers can set up fake websites and steal information.
  • HTTPS uses SSL certificates issued by Certificate Authorities (CAs) to verify a website. This means when a user connects to an HTTPS website, they can be sure the website is what it claims to be. The green padlock in the browser’s address bar is a visual indicator of a secure connection.

Data Integrity

  • HTTP offers no data integrity. Data can be modified during transmission, but the client or server won’t know.
  • HTTPS ensures data integrity. Any tampering with the data during transmission will be detected because SSL/TLS uses hashing algorithms to ensure data is unchanged between the server and client.

Speed and Performance

  • HTTP is slightly faster than HTTPS because it doesn’t require the SSL/TLS handshake to establish a secure connection.
  • HTTPS involves a handshake process, including encryption and decryption, which can introduce a minor delay. However, modern improvements like HTTP/2 have made HTTPS faster than traditional HTTP in many cases by allowing multiple requests to be sent over a single connection.

What does an HTTP Request look like compared to an HTTPS Request?

A GET request is the most common HTTP method to request data from a server, like fetching a webpage or an image. It asks the server to send back the resource specified in the URL.

Example of an HTTP GET Request:

GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html

In this example the client is requesting the index.html page from www.example.com. The GET method means the client wants to retrieve the page. The Host header specifies the target domain, the User-Agent provides information about the browser, and the Accept header means the client can handle HTML content.

Example of an HTTP GET Response:

HTTP/1.1 200 OK
Date: Mon, 22 Oct 2024 10:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 234

<!DOCTYPE html>
<html>
<head>
<title>Welcome to Example.com</title>
</head>
<body>
<h1>Welcome to Example.com</h1>
<p>This is the home page.</p>
</body>
</html>

In this response the server is telling the client with a 200 OK status code that the request was successful. The Content-Type header says the body is in HTML, and the Content-Length tells the size of the response body. The body is the HTML content of the index.html page, which the browser will render for the user. All this is visible to anyone snooping on your network traffic.

What does an HTTPS GET Request look like?

An HTTPS GET request is similar to an HTTP GET request but is encrypted using SSL/TLS for security. So, the data sent between the client and server is private and secure.

Instead of:

GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html

Any attacker snooping on the traffic would see:

ZHpzbbcqmSW1+3xXGsERHg9YDmpYk0VVDiRvw1H5miNieJeJ/FNUjgH0BmVRWII6+T4MnDwm81pQfe+DpDVJPvZdZUZHpzbbcqmSW1+3xXGsERHg9YDmpYk0VVUjgH0BmVRWII6+T4MnDwmCMZUI/orxP3HGwYCSIvyzS3MpmmSeKCOHQ==

The response from the server will also be encrypted.

How does HTTPS help authenticate web servers?

Authentication means a website is actually who it says it is, something HTTP doesn’t have. HTTP assumes trust between a user and a web server without verification of the server’s identity. This wasn’t a security decision, it was about efficient data transfer not about protecting against bad actors. However, as the internet evolved, verifying server identity became important.

HTTPS solves this by using SSL/TLS certificates which act like a digital ID card for websites. When a user visits an HTTPS website, the server proves its identity with a private key that matches the public key in the SSL certificate. This key pair is proof the server is the legitimate host of the website. If the server has the correct private key, the SSL/TLS handshake can proceed, and a secure encrypted connection can be established. This prevents impersonation and man-in-the-middle (MITM) attacks where attackers might try to pretend to be the legitimate server to intercept data. By authenticating web servers, HTTPS ensures users connect to the real website sec,ure their data, and build trust.

SSL https handshake to verify web server