HTTP vs HTTPS – The Myths and the Facts
Following recent social media / online buzz concerning the use of Hypertext Transfer Protocol Secure (HTTPS), and the obvious misunderstanding and misuse of the application protocol in some of the web links submitted to us, we have found it necessary to put up this write up in the hope that it would aid proper understanding, appreciation and use of Hypertext Transfer Protocol Secure (HTTPS). When https is wrongly used, your web link will not open, which effectively defeats the purpose web links are supposed to serve – link valuable customers and prospects to your website.
What is http?
The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web. Hypertext is structured text that uses logical links (hyperlinks) between nodes containing text. In other words, Hypertext Transfer Protocol (HTTP) is the underlying protocol used by the World Wide Web to define how messages are formatted and transmitted. It can also be viewed as the set of rules for transferring files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web.
What is https?
HTTPS, which stands for Hypertext Transfer Protocol Secure, makes it more difficult for hackers and others to track users. The protocol makes sure the data isn't being transmitted in plain-text format, which is much easier to eavesdrop on.
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.
Web browsers such as Internet Explorer, Firefox and Chrome also display a padlock icon in the address bar to visually indicate that a HTTPS connection is in effect.
How Does HTTPS Work?
HTTPS pages typically use one of two secure protocols to encrypt communications - SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL protocols use what is known as an 'asymmetric' Public Key Infrastructure (PKI) system. An asymmetric system uses two 'keys' to encrypt communications, a 'public' key and a 'private' key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa.
As the names suggest, the 'private' key should be kept strictly protected and should only be accessible the owner of the private key. In the case of a website, the private key remains securely ensconced on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key.
What is a HTTPS certificate?
When you request a HTTPS connection to a webpage, the website will initially send its SSL certificate to your browser. This certificate contains the public key needed to begin the secure session. Based on this initial exchange, your browser and the website then initiate the 'SSL handshake'. The SSL handshake involves the generation of shared secrets to establish a uniquely secure connection between yourself and the website.
When a trusted SSL Digital Certificate is used during a HTTPS connection, users will see a padlock icon in the browser address bar. When an Extended Validation Certificate is installed on a web site, the address bar will turn green.
Why Is an SSL Certificate Required?
All communications sent over regular HTTP connections are in 'plain text' and can be read by any hacker that manages to break into the connection between your browser and the website. This presents a clear danger if the 'communication' is on an order form and includes your credit card details or social security number. With a HTTPS connection, all communications are securely encrypted. This means that even if somebody managed to break into the connection, they would not be able decrypt any of the data which passes between you and the website.
Benefits of HTTP over HTTPS
One advantage of HTTP is that it is connectionless. In other words, constant connection is not required when using HTTP on web-based applications. This is what gives you the opportunity to browse online at greater speed.
- No history
This is probably the main perk of using HTTP not to mention it’s stateless. In simple terms, when an ‘’http’’ establishes a communication between a server, history is not recollected after the request has been completed.
Benefits of HTTPS over HTTP
This is the major benefit of sending data via HTTPS as it tells the end user that the content delivered is from the source and it hasn’t been tampered with in any way.
The webpages you are viewing and what you are doing are not visible to anyone sniffing network traffic as it is fully encrypted via HTTPS.
Protection is important when it comes to handle money transfers like with online banking or for e-commerce sites, so you definitely don’t want anyone malicious to send another copy of commands and transfer twice. Customer information, like credit card numbers, is encrypted and cannot be intercepted. When it comes down to it, if HTTPS is not present, a user is vulnerable to the issues mentioned above, like attacks and tracking. Once the user has been hacked, even just once, they’re forever susceptible or until they’ve reformatted and restored their device.
Other benefits of HTTPS are:
- Visitors can verify you are a registered business and that you own the domain
- Customers are more likely to trust and complete purchases from sites that use HTTPS
How to set up HTTPS
To prepare a web server to accept HTTPS connections, the administrator must create a public key certificate for the web server. This certificate must be signed by a trusted certificate authority for the web browser to accept it without warning. The authority certifies that the certificate holder is the operator of the web server that presents it. Web browsers are generally distributed with a list of signing certificates of major certificate authorities so that they can verify certificates signed by them.
Authoritatively signed certificates may be free or cost between N1600 to N14 000 per year. Organizations may also run their own certificate authority, particularly if they are responsible for setting up browsers to access their own sites (for example, sites on a company intranet, or major universities). They can easily add copies of their own signing certificate to the trusted certificates distributed with the browser.
There also exists a peer-to-peer certificate authority, CACert. However, it is not be included in the trusted root certificates of many popular browsers (e.g. Firefox, Chrome, Internet Explorer), which may cause warning messages to be displayed to end users.
An upcoming certificate authority, Let’s Encrypt, provide free and automated SSL/TLS certificates to websites. According to the Electronic Frontier Foundation, "Let's Encrypt" makes switching from HTTP to HTTPS "as easy as issuing one command, or clicking one button." (Wikipedia)
Use as access control
The system can also be used for client authentication in order to limit access to a web server to authorized users. To do this, the site administrator typically creates a certificate for each user, a certificate that is loaded into his/her browser. Normally, that contains the name and e-mail address of the authorized user and is automatically checked by the server on each reconnect to verify the user's identity, potentially without even entering a password.
In case of compromised secret (private) key
A certificate may be revoked before it expires, for example because the secrecy of the private key has been compromised. Newer versions of popular browsers such as Google Chrome, Firefox, Opera, and Internet Explorer on Windows Vista implement the Online Certificate Status Protocol (OCSP) to verify that this is not the case. The browser sends the certificate's serial number to the certificate authority or its delegate via OCSP and the authority responds, telling the browser whether or not the certificate is still valid.
So, before you add that “s” to your “http” website, ensure you have met all the conditions for using “https”.
See you online!