HTTP vs. HTTPs

HTTP vs. HTTPs

06.Nov.2021

We all know that HTTP is the protocol to use when you want to retrieve data from a web server, like HTML pages and images. Since HTTP sends data in plain text, it can result in the disclosure of personal information, like credit card numbers or usernames and passwords.

To allow users to send sensitive information safely over an insecure network (such as the internet), HTTPS was developed. The 'S' stands for "Secure," meaning that HTTPS provides communication security across the Internet for data being transmitted from one browser to another by encrypting that data.

In order for anyone viewing a website's connection with their browser to understand whether this site uses HTTPS or not, every website has an SSL certificate installed on their web server.

An SSL certificate is a small file that contains the server's public key and identifies the site owner. The SSL certificate also provides identification to users in order for them to be confident when sending information, such as personal or financial data.

SSL certificates are issued by one of several Certificate Authorities (CA). These organizations use a variety of means to validate companies and people. Once verified, they digitally sign an organization's certificate and make it available on their website. Anyone who wants to visit this website can download this digital signature from the CA via any browser or operating system; then, when that person visits that particular site, their computer will compare the signature with its own list of authorized CAs and check whether they match -- they do match, your browser will allow the connection.

The SSL protocol is widely used today. It is essential to protect users when they are transmitting sensitive information, such as credit card data, over a network that they don't trust completely. In the case of HTTPS, web servers provide this encryption and security by default. Even HTTP can be encrypted using Secure Sockets Layer (SSL) technology, although it's important to note that HTTPS does not always use SSL certificates -- some organizations have chosen different encryption methods for their websites' connections with browsers.

It's secure! Right? Well... not so fast. There is a little more to this story than you might think...

As many of us know, there have been a huge number of breaches recently in which our personal information has been stolen. One method in particular has increased in prevalence due to its successful rate of stealing user data: the "man-in-the-middle" attack.

A man-in-the middle attack occurs when an attacker intercepts traffic between two systems and impersonates each one, allowing sensitive information to be compromised without either party's knowledge. If an attacker can manage to get themselves into the communication line between a user and their intended destination -- say, by using some form of phishing or fake WiFi access point -- they can read all encrypted traffic being sent back and forth before passing it on. For example, if you are trying to login with your username and password over HTTPS (encrypted), the attacker pretend that he/she is the website you are trying to login to and give you a fake page from that same website. You then put in your username and password into that page, which is sent by the attacker (in encrypted form) back to the real site's server -- but not before the attacker steals it first and uses it for their own purposes.

At this point, we can all agree HTTPS provides some measure of security -- users would love an encryption solution like this for HTTP! But how do we get there? There has been a lot of talk recently about encrypting even regular HTTP traffic (which usually isn't encrypted), such as HTTP over SSL (HSTS). Although HSTS does provide some security benefits, it is still vulnerable to man-in-the-middle attacks if implemented incorrectly.

HTTPS is only as good as the Certificate Authority you use, and your trust of that authority. If you are using a CA that has been compromised, all encrypted traffic is exposed to eavesdropping -- so it's important to know which CAs are trustworthy and reliable before putting this much trust in an encryption mechanism! One of the most popular browsers out there today, Microsoft Internet Explorer (IE), decided recently to take the security of their user base into their own hands by building a list of four CAs they recommend for ensuring HTTPS protection on websites. And while some might be thinking IE got this right, others disagree...

We are social