Explore the exact difference between HTTP and HTTPS with Examples:
When we say, ‘HTTP vs HTTPS’, the foremost requirement comes to us is to understand the basic meaning of each of these two terms.
Once we cotton on to what HTTP and HTTPS means, we can then move ahead to compare them.
What You Will Learn:
What is HTTP?
HTTP is an acronym for Hypertext Transfer Protocol. Within the internet protocol suite, HTTP is an application layer protocol to establish and improve the client-server communication between distributed, shared and hypermedia information systems.
The communication is achieved by sending the HTTP requests and receiving the HTTP responses over www (world wide web).
HTTP was developed to enable hypertext and www. It works like a request-response protocol in a client-server computing model.
A client (say, a web browser) sends an HTTP request to the web server (say, a cloud computer). The server receives the request and executes an application to process the request. It then returns the application execution output i.e. HTTP response to the client. The client receives the response.
The ‘Protocol’ part in the name HTTP indicates that it’s a set of rules. HTTP is one of the protocols in the internet protocol suite.
The ‘Transfer’ part in the name HTTP indicates the transferring of files over www. These files could be text, graphics, images, audio, video or any other multimedia.
The ‘HyperText’ part in the name HTTP indicates that the documents or files can contain links to other texts that the reader can access immediately by mouse click or key press or touching the screen.
So, hypertext allows extensive cross-referencing where the files can contain links to other files whose selection will trigger additional transfer request.
Now, in simple words, you can understand that the HTTP is a set of rules for hypertext files transfer over www.
What is HTTPS?
HTTPS, developed by Netscape, is an acronym for Hypertext Transfer Protocol Secure. The limitation with HTTP is that the flow of information between client and server is not encrypted and thus anyone can steal the information.
The hypertext exchanged using HTTP travels as plain text and anyone can easily read it or inject their own code if intercepts the communication for their own benefits. Thus, HTTPS was developed to overcome this security of limitation of HTTP.
The ‘S' at last of HTTPS is known for ‘Secure’. HTTPS is an extension of HTTP to enable secure communication across a computer network and is broadly used on the internet. HTTPS = HTTP + cryptographic protocols. HTTPS also falls in the application layer of the Internet Protocol suite.
Sometimes HTTPS is also called as HTTP over TLS or HTTP over SSL. This is because it uses Transport Layer Security (TLS) or Secure Socket Layer (SSL) as a sublayer to encrypt the communication protocol. It uses an SSL certificate to create a secure connection between the browser and the server.
HTTPS provides bidirectional encryption between client and server i.e. it encrypts and decrypts the browser requests and server responses which in turn provides protection against man-in-the-middle attacks, eavesdropping, and tampering of the message.
So, HTTPS basically provides authentication of the accessed website and protects the privacy & integrity of data in transit during client-server communication. It assures secure communication.
You must have observed a padlock icon like below when you open the web browser like Chrome, IE or any other.
This lock icon tells that the HTTPS connection is in effect.
HTTPS initially came to use in the financial domain, for example, in online payment transactions like online banking and online shopping.
But in recent times, it is being widely used in almost all type of websites so that the authenticity of the web data is protected, user’s account and browsing information can be secured and kept private.
How HTTPS works?
As mentioned above, HTTPS uses either SSL or TLS to enable encryption. Both SSL and TLS protocols are based on an asymmetric key algorithm where we have two keys- a public key and a private key. Both the keys are paired and function together.
The public keys are distributed to the client or web browsers through certificates and the private key is kept with the web server of that specific website.
HTTPS encrypts any data exchange that happens between the user's browser and the server, thus ensuring that no one can read anything in transit between the server and the browser.
Data is encrypted at the sender’s end by a unique encryption key (Random numbers) and encryption algorithm. This encrypted data is also known as cipher. On the other end i.e. the receiver’s end, this ciphertext will be decrypted by using the reverse of the encryption process and original data will be restored.
Now, if both the ends (Browser and server) uses the same encryption key then this is known as symmetric encryption; the best example for this is WIFI used in our home where both the router and laptop are sharing the same password.
Whereas, in Asymmetric encryption, both the encrypting and decrypting keys are different which is used in the initial handshaking process between web browser and server.
Websites using HTTPS are having a unique digital certificate which is purchased from some Certificate Authorities companies like GeoTrust, GoDaddy etc.
The whole process of HTTPS working can be divided into two major steps:
1) When a URL is entered like www.Yahoo.com, then the Yahoo's server gives two things to the web browser which are ‘Certificate' signed by any Certificate Authority (let's suppose it’s a certificate signed by VeriSign) and another very important thing is its ‘public key’ (let it be any random number).
Now web browser contains a list of public keys provided from major registered Certificate Authorities. It will decrypt the Certificate through its respective matched public key.
If the public key is able to decrypt the digitally signed Certificate, then only it will allow proceeding further to create a secure connection for data exchange by showing green lock before the URL.
Otherwise, if the public key not matched, then it will stop all the connection and will show untrusted website symbol of the red cross at the starting of the URL. This whole process is known as handshaking process.
You must have often seen these above green lock and red cross https symbols while working on the internet.
Keep in mind that private key and public keys are used jointly to encrypt and decrypt the data. If one key (either public or private) is used for encryption, then the other key is used for decryption. So, up to this step, asynchronous communication is used.
Let us move to the next step in this process.
2) Now, as mentioned above, when you go to www.Yahoo.com then Yahoo's server will send the data in encrypted form through its public key which can only be decrypted by the respective private key of the yahoo's server. This private key is not shared among the public. So, it’s almost impossible to decrypt the data without the private key.
Apart from the public key and private key, our web browser will create a third key which is called a session key. Now, this session key gets encrypted by the public key received from the server and this encrypted session key is shared with the yahoo's server. This server gets the session key by decrypting it through the private key.
Now, the user and the server both are having the same session key. Now if the user's machine and the server will remain in the same session they will continue to use symmetric encryption until the session does not end up by closing the website.
The Exact Differences – HTTP vs HTTPS
|The HTTP URL starts with HTTP :// a nd uses port 80 as its default port.||The HTTPS URL starts with https :// a nd uses port 443 as its default port.|
|HTTP is not secured and is susceptible to man-in-the-middle attacks and eavesdropping which may lead to virus injections and leak sensitive information to attackers.||HTTPS is encrypted and secured. It has the capability to resist such attacks and provide authentication, privacy, and security.|
|This protocol was invented by Sir Timothy John.||This protocol was invented by Netscape Corporation for its Navigator browser.|
|Does not use an SSL certificate for communication.||Uses SSL certificate for communication.|
|Does not use data encryption.||Uses data encryption.|
|Suitable for use in information consumption websites like blogs, forums, educational sites, entertainment, and articles.||This is the right fit for the websites that collect private and sensitive information like financial or other confidential data. For example, payment gateways, shopping websites.|
|It addresses the need to exchange information over the internet.||It addresses the need to exchange confidential information over insecure internet.|
|Talking about speed, it is faster than HTTPS because of its simplicity. It is a stateless protocol and does not recalls anything of the preceding web session.||Talking about speed, it is slower than HTTP. This is because establishing a secure session takes up some processing time.|
|Does not improve search ranking.||Improves search ranking. In the year 2014, Google began utilizing HTTPS as a ranking signal.|
|Does not save the referrer data. Referral sources only appear as direct traffic.||Preserves Referrer data. Thus, makes google analytics more effective and proves to be a big advantage for SEO.|
|Less trust with visitors as they feel a risk of security breach and their sensitive information may be leaked out.||Establishes trust with visitors as they know that their sensitive information like credentials, browsing history, account details, etc. are not at the risk of exposure.|
|We can’t use AMP (Accelerated mobile pages) with HTTP.||HTTPS gives you the benefit of using AMP. Having HTTPS is a must have if you want to use Google AMP.|
The two images will help you to visualize the main differences between HTTP and https:
HTTP vs HTTPS Performance
In general, HTTP is faster than HTTPS due to its simplicity. In HTTPS, we have an additional step of SSL handshake unlike in HTTP. This additional step slightly delays the page load speed of the website.
However, this again depends upon certain things like the length of the session, the ratio of static vs. dynamic content, caching behavior of the client, hardware, server software, etc.
For Example, if there is heavy dynamic content on the server then the page load is less likely to be obstructed by HTTPS because the time spent on SSL handshake becomes insignificant to the time spent on content generation. However, in case of much static content, the overhead is higher.
Very short sessions also do get impacted by SSL handshake time. However, for long sessions, this cost is incurred at the beginning of the session and the later subsequent requests will be faster.
But, above all this, the security benefits provided by HTTPS totally overweighs the slight performance delays.
There are also certain available ways to improve HTTPS performance.
- HTTP/2: With HTTP/2, HTTPS is only getting faster thus offsetting any performance overheads. The main benefits and features of HTTP/2 include multiplexing & concurrency, header compression, stream dependencies, and server push.
- Brotli compression: This is an opensource lossless compression algorithm introduced by Google. It reduces the bandwidth consumption and aids in faster content load.
- HPACK compression: This is based on Huffman encoding and reduces the header size by around 30%. The HPACK compression is resistant to compression-based attacks and has the ability to encode large headers.
- OCSP (Online certificate status protocol) Stapling: This is a method to quickly validate an SSL certificate.
- CDN: CDN is content delivery networks. Using a CDN can considerably reduce the round-trip times and the overall cost of TCP & TLS handshakes.
There is a website http://www.httpvshttps.com/ that does HTTP VS HTTPS test. I found that for the same page, the HTTP version took 20.306 seconds to load and the HTTPS version took 7.630 seconds to load. I tried this in chrome browser.
There are other testing platforms and visual comparison tools also available that show the comparison between HTTP and https page versions load times.
So, in this article, we understood the basics of HTTP and HTTPS and as well as seen the differences between the two. While HTTP provides the very basic protocol for data transfer between client and server, the HTTPS adds a layer of security to HTTP serving to its three main goals- privacy, integrity, and authentication.
Historically, HTTPS connections were only used for online financial transactions. But, in recent years, almost all types of websites have started using an HTTPS connection to provide secure communications.
After all, privacy and security related to the user’s sensitive information and browsing history can’t be compromised! Architecture wise, HTTPS has an overhead of SSL handshake and thus might be slower than HTTP. But, the security benefits it offers outweighs these slight delays in performance.
In fact, there are a lot of ways to improve HTTPS performance and these days HTTPS is growing faster.
Hope this article would have enriched your knowledge on the concept of HTTP and HTTPS!