We interact with HTTP and HTTPS a lot in our day-to-day lives, but many people don't know the difference.
Most computer users just see that the browser is telling them their application is not safe and that a hacker might want to steal their important information. This leads to users running away faster than Usain Bolt's current record.
But this is avoidable. That is where HTTPS comes in and replaces HTTP. And we are going to discuss that today. :)
Here's What We'll Cover:
- What is HTTP?
- How HTTP works
- Features of HTTP
- How to know if a site is not secure
- Are all HTTP websites insecure?
- What is HTTPS?
- How HTTPS works
- Features of HTTPS
- How encryption works
- How to know if a site is secure
- What is an SSL certificate?
- How does SSL work?
- How can I get SSL for my website?
- Where can I get an SSL certificate?
- Can I get an SSL certificate for free?
- The main differences between HTTPS and HTTP
What is HTTP?
Hyper Text Transfer Protocol, or HTTP, is a communication method between your browser and the site you want to visit (web server).
This allows you to get the information that you need from the server on your browser.
A good way to understand HTTP and HTTPS is by using an analogy. We know that browsers and servers communicate using HTTP. HTTP is usually in plain text. Many people around the world speak English. If a hacker who knows English hacks into your computer, they can easily see any password you input.
Here in Kenya, in my mother tongue, we speak Turkana. If you don't speak the language and you come to Kenya and find two Turkanas speaking, you may not understand what they are saying.
That's the beauty of HTTPS. It is encrypted so that the hacker hopefully doesn't understand the communication between the browser and the server.
If I was to go to http://www.google.com, I would expect to see Google's default page.
The client, which in most cases is the web browser, sends a message which in computer terms is a request. Then the server will give back an answer, which is the response.
HTTP is very useful in sending HTML documents as well as images and videos to the web browser for the user to see. It is also used to send data to the server in HTML forms.
How HTTP Works
HTTP sends data through plain text. For example, if you were to access your bank's web page and they are using HTTP, a hacker may be able to access it and read any information that you send.
This is where HTTPS comes in. Many companies have implemented HTTPS to be able to allow their users to send data securely. We'll discuss this further below.
Features of HTTP
Plain text. Initially when HTTP was developed, developers had one thing in mind: to serve only text documents. Now, HTTP is used in more ways than it was initially intended.
Layer 7 protocol. HTTP is a layer 7 protocol in the OSI Model of networking. Layer 7 is the application layer. This layer is the top-most layer in the OSI model. The other layers include the physical, data link, network, transport, session, and presentation layer. To learn more about the OSI model, you can check out this free video on freeCodeCamp's YouTube channel by Brian Ferrill about how the internet works. There are more cookies in the jar other than the OSI model. Computer Networking Course - Network Engineering [CompTIA Network+ Exam Prep]
Insecure. When you send HTTP requests they are sent through plain text. Also, when you get a response, you get it through plain text. This means that anyone who can access the requests and the responses can read them.
Light weight. The advantage of HTTP is that it is very lightweight. It is therefore very fast since it doesn't do the encryption stuff to secure the data, like HTTPS does.
HTTP usually listens on port 80.
How to Know if a Site is Not Secure
When a site is not secure, Chrome will usually send a warning that says
Your connection is not private.
On Chrome, the URL bar will usually show
Not Secure in red if a site is not secure.
Are All HTTP Websites Insecure?
Well, let's look at an example. Imagine you are browsing a meme website, laughing at each one as you scroll by. If it is using HTTP, then you are off the hook. It's not a big deal.
You get bored and decide to go to your bank's site to access your account on your browser. If the site is not using HTTPS, you might as well be serving your account details to a hacker on a silver plate.
So the bottom line is, if you're browsing inconsequential information, HTTP is ok. But if you are dealing with insecure information, HTTP isn't enough.
What is HTTPS?
Hyper Text Transfer Protocol Secure, or HTTPS, is a way that communication can happen SECURELY between your browser and the site you want to visit (web server).
How HTTPS Works
HTTPS makes a secure connection by using a secure protocol that encrypts your data.
For most websites, the best way to have HTTPS is by getting an SSL (Secure Sockets Layer) Certificate or a TLS (Transport Layer Security) certificate.
At the moment, SSL has become advanced enough that it supports TLS. So you don't need to get a TLS certificate.
Features of HTTPS
- Encrypts data. Data encryption happens through the TLS/SSL protocol.
- It is a layer 4 (Transport layer) protocol.
- Key exchanges of public and private keys happen in HTTPS to encypt and decrypt data.
- Compared to HTTP, is it heavier. When encrpytion and decryption happens in HTTPS, it becomes heavier.
- HTTP listens on port 443.
How Encryption Works
Let's say I type "I am a dev". This text gets encrypted when I click send, and then it gets decrypted on the server side.
The same is also true from the server side. If I get a response from the server, it will first get encrypted, then it will get decrypted on the client side.
How to Know if a Site is Secure
To know that a site is secure, you usually look at the URL bar where you can see a lock. If there is a lock, the connection from the client to the server is secure.
When you click on the lock icon, it tells you more about the secure connection.
What is an SSL Certificate?
An SSL certificate is a little file that tells browsers that your website –for example, freecodecamp.org – is who it says it is, and that it is reliable.
In order to authenticate, the certificate is able to confirm to the client (user) that the server they are connecting to is the one that manages that domain. All this is to keep the user safe from security issues such as domain spoofing.
It contains a public key and tells you who the owner of the website is that you are trying to connect to. If a website doesn't have an SSL certificate, it cannot be encrypted with TLS.
You can personally create your own SSL certificate (also known as a self-signed certificate), if you are the website owner. The problem with this approach is that browsers like Chrome don't trust these certificates. They prefer trusting certificates that are issued by a certificate authority.
How Does SSL Encryption Work?
There are two types of SSL encryption, asymmetric and symmetric. The combination of asymmetric and symmetric is what makes SSL Encryption work. Let's look at them below to learn more.
What is asymmetric encryption?
In Asymmetric encryption, you have two keys. These are:
- Public key.
- Private key.
The client/user/browser gives the public key to the server with which they are communicating. Then, the encyption happens with the help of the public key, and the decryption happens with the help of the server's private key.
The private key can only be found on that particular server. No one else has it. This shows you why asymmetric encryption is stronger and tougher to hack, because it has two different keys, the private and public key. The two keys work together to make sure the data is more secure.
This also tells you why the size of this encryption is 1024/2048 bits.
What is symmetric encryption?
In symmetric encryption, it's very simple. You have one key, and that's it. The client uses one key for encryption, and the server uses the same key for decrypting the data.
Symmetric encryption is very light weight. The size is 128/256 bits. But it is a bit easier to hack into as compared to asymmetric. This doesn't mean it is not useful. When we use SSL, we combine Asymmetric and Symmetric to be able to make the communication safer and more secure.
How asymmetric + symmetric encryption work
The combination of both asymmetric and symmetric is now the double-sided wall.
In the first step, the server will send to the browser the asymmetric public key. As we now know, the asymmetric key has both the public key and the private key. Therefore, the browser will receive the public key.
After this, the browser generates a session key.
Symmetric encryption uses only one single key for both the client and the server. So what will happen is, the browser will generate a local session key. This is a symmetric encryption session key. It will then encrypt it, with the use of the public key which is asymmetric, given in the first step. The locally generated session key will then be combined with the public key, and sent to the server.
The server will then use a private key to decrypt the encrypted session key it has received. In this particular step, the server will use asymmetric private key to decrypt the session key it has received.
Now, once the decryption has happened, the server and the browser will use the session key for communication. The session key will only be used for that specific session.
Let's say you close your browser, and maybe sign in the next day – everything starts all over again. Session keys get created again.
How Can I Get SSL for My Website?
If you are a website owner, you can acquire an SSL certificate from a certificate issuing authority.
You will then need to install the certificate on you web server where your website is hosted. Most of the time, the hosting company where you host your website handles this process for you.
Where Can I Get an SSL Certificate?
There are organizations that issue security certificates. These organizations are called certificate authorities. Some of these certificate authorities include: DigiCert, Comodo, and many others.
Many developers get certificates from these organizations. Since they are the most widely used certificate issuers, browsers usually trust certificates from these organizations.
Can I Get an SSL Certificate for Free?
Cloudflare offers SSL certificates for free. It is one of the first internet security companies to do so.
If you want to get one, you can check it out here.
What is HTTPS Used For?
HTTPS helps a lot with security. Without it, passing sensitive information becomes a big challenge especially if your business requires a secure way of communication.
Sites that accept online payments like ecommerce sites typically require HTTPS. This is to avoid information such as credit card details and login information from being stolen (Source: Tony Messer).
The Main Differences between HTTPS and HTTP
- The encryption layer is enabled in HTTPS while there is no encryption layer in HTTP.
- Your data is protected in HTTPS while in HTTP it is not.
- Your ranking is boosted in Google when you use HTTPS while with HTTP, you don't get any ranking boost.
- You are protected against phishing when you use HTTPS while there is not protection when using HTTP.
- You are compliant with the regulations of the payment industry when you use HTTPS while HTTP is non-compliant.
- Loading HTTPS in the first few seconds may be slower than loading HTTP.
- Getting SSL certificates can cost money while there is no certification costs with HTTP.
- While using HTTPS, you become buddies with Google Chrome. Google Chrome doesn't like HTTP and therefore you will always be getting unsecured site notifications.
HTTP and HTTPS are very important in our day to day lives as developers. The communication between the browser and the server is what fuels much the work we do.
By protecting your users' data as much as you're able so their information doesn't get stolen, you'll gain their trust and provide a better user experience.
See you soon.