Differences Between HTTP and HTTPS

Differences Between HTTP and HTTPS

Basic Concepts

HTTP (HyperText Transfer Protocol) is an application layer protocol used for distributed, collaborative, and hypermedia information systems. Simply put, it is a method for publishing and receiving HTML pages, used to transmit information between web browsers and website servers.

HTTP operates by default on TCP port 80, and users access standard HTTP services starting with http://.

The HTTP protocol sends content in plaintext and does not provide any means of data encryption. If an attacker intercepts the transmission messages between the web browser and the website server, they can directly read the information contained within. Therefore, the HTTP protocol is not suitable for transmitting sensitive information, such as credit card numbers or passwords.

HTTPS (Hypertext Transfer Protocol Secure) is a transmission protocol that enables secure communication over a computer network. HTTPS communicates through HTTP but uses SSL/TLS to encrypt the data packets. The main purpose of HTTPS is to provide authentication of the website server and protect the privacy and integrity of exchanged data.

HTTPS operates by default on TCP port 443, and its workflow generally follows these steps:

  • 1. TCP three-way handshake

  • 2. Client verifies server’s digital certificate

  • 3. DH algorithm negotiates the keys for symmetric encryption and hash algorithms

  • 4. SSL secure encryption tunnel negotiation is completed

  • 5. Web pages are transmitted in an encrypted manner, using the negotiated symmetric encryption algorithm and key to ensure data confidentiality; a negotiated hash algorithm is used to protect data integrity, ensuring that data is not tampered with.

As of June 2018, 34.6% of the top 1 million websites according to Alexa use HTTPS as the default, with 43.1% of the 141,387 most popular websites on the internet implementing secure HTTPS, and 45% of page loads (according to Firefox records) using HTTPS. In March 2017, only 0.11% of registered domain names in China used HTTPS.

According to Mozilla statistics, since January 2017, over half of website traffic has been encrypted.

Differences Between HTTP and HTTPS

  • HTTP transmits data in plaintext and is less secure, while HTTPS (SSL+HTTP) encrypts the data transmission process, making it more secure.

  • Using HTTPS requires obtaining a certificate from a CA (Certificate Authority), and generally, free certificates are rare, thus incurring some cost. Certificate issuing authorities include Symantec, Comodo, GoDaddy, and GlobalSign.

  • HTTP page response speeds are faster than HTTPS, mainly because HTTP uses three packets for the TCP three-way handshake to establish a connection, while HTTPS requires the three TCP packets plus an additional nine packets for SSL handshake, totaling twelve packets.

  • HTTP and HTTPS use completely different connection methods and ports; the former uses port 80, while the latter uses port 443.

  • HTTPS is essentially HTTP built on SSL/TLS, which means HTTPS consumes more server resources than HTTP.

TCP Three-Way Handshake

In the TCP/IP protocol, the TCP protocol establishes a reliable connection through a three-way handshake.

Differences Between HTTP and HTTPS

  • First handshake: The client attempts to connect to the server and sends a SYN packet (Synchronize Sequence Numbers), syn=j, putting the client in the SYN_SEND state waiting for server confirmation.

  • Second handshake: The server receives the client’s SYN packet and confirms (ack=j+1), while sending a SYN packet (syn=k) back to the client, which is a SYN+ACK packet; at this point, the server enters the SYN_RECV state.

  • Third handshake: The client receives the server’s SYN+ACK packet and sends an ACK packet (ack=k+1) to the server. After this packet is sent, both the client and server enter the ESTABLISHED state, completing the three-way handshake.

Simplified:

Differences Between HTTP and HTTPS

Working Principle of HTTPS

We all know that HTTPS can encrypt information to prevent sensitive information from being obtained by third parties, which is why many banking websites or high-security services such as email use HTTPS.

Differences Between HTTP and HTTPS

1. Client initiates HTTPS request

This is straightforward; the user enters an HTTPS URL in the browser and connects to the server’s port 443.

2. Server configuration

A server using the HTTPS protocol must have a digital certificate, which can be self-generated or requested from an organization. The difference is that a self-issued certificate must be validated by the client to continue access, while a certificate obtained from a trusted company will not prompt a warning page (startssl is a good option, offering one year of free service).

This certificate is essentially a pair of public and private keys. If you don’t understand public and private keys, think of them as a key and a lock; only you have the key, and you can give the lock to others. They can use this lock to secure important items and send them to you because only you possess the key, allowing you to see what is locked.

3. Certificate transmission

This certificate is essentially the public key but contains a lot of information, such as the issuing authority and expiration date.

4. Client parses the certificate

This work is done by the client’s TLS, which first verifies the validity of the public key, such as the issuing authority and expiration date. If any issues are found, a warning box will pop up, indicating a problem with the certificate.

If the certificate is valid, a random value is generated and encrypted using the certificate, just like locking the random value with a lock; only someone with the key can see the locked content.

5. Transmission of encrypted information

This part transmits the random value encrypted with the certificate, allowing the server to receive this random value, which will be used for encryption and decryption in future communications between the client and server.

6. Server decrypts the information

The server uses the private key to decrypt the random value sent by the client (private key) and then encrypts the content using that value. Symmetric encryption means mixing the information with the private key using some algorithm; unless one knows the private key, it is impossible to access the content. Since both the client and server know this private key, as long as the encryption algorithm is robust and the private key is complex, the data is secure.

7. Transmission of encrypted information

This information is the content encrypted by the server using the private key, which can be restored on the client side.

8. Client decrypts the information

The client uses the previously generated private key to decrypt the information sent by the server, thus obtaining the decrypted content. Throughout this process, even if a third party intercepts the data, they are powerless.

Related posts

  1. What Is a Network Protocol? Understanding Network Processes
  2. Understanding TCP/IP Protocols
  3. Why The Global Internet Relies on TCP/IP Model
  4. Getting Started with HTTP Requests Using Httpie in Python
  5. Basics of HTTP Protocol
  6. Developing IoT Gateways: Design Process Based on MQTT Message Bus (Part 1)
  7. Simple Configuration of Clash in Kali
  8. Introducing Semiconducting-to-Metallic Transitions in 2D PdSe2 Layers
  9. Understanding RSA Algorithm Principles: Overview of Common Encryption Algorithms
  10. Mastering PyCrypto: Secure Your Data with Python
  11. Understanding TCP/IP, HTTP, and HTTPS in Depth
  12. Certification and Security: Infineon’s OPTIGA TPM for Embedded Applications
  13. Analysis of In-Vehicle Networks
  14. Introduction to Networking Basics
  15. An Introduction to TCP/IP and HTTP
  16. Master Huawei Interview Questions: Understanding HTTP

Leave a Comment