Tech Factfile 02: HTTP vs HTTPS

HTTP  stands for Hypertext Transfer Protocol. It is a prescribed order and syntax that allows transfer of data such as website content and API calls. HTTPS stands for Hypertext Transfer Protocol Secure. 

HTTP requests and responses are not secured. HTTP requests are generated by the client browser as the user interacts with web properties for instance user clicks on a hyperlink. The browser sends a series of ‘HTTP GET’ requests in order to receive a response generated by the server. 

A typical HTTP request looks like this:

GET /hello.txt HTTP/1.1

User-Agent: curl/7.63.0 libcurl/7.63.0 OpenSSL/1.1.l zlib/1.2.11

Host: www.example.com

Accept-Language: en

------------------------------------------------

The problem is this information flows across the internet in plaintext as above, and anyone monitoring the session can easily read it. This is especially an issue when users submit sensitive data such as passwords, credit card numbers or form input data via a website or a web application.

When an origin server or proxy caching server receives an HTTP request, it sends back a similar response: 

HTTP/1.1 200 OK

Date: Wed, 30 Jan 2019 12:14:39 GMT

Server: Apache

Last-Modified: Mon, 28 Jan 2019 11:17:01 GMT

Accept-Ranges: bytes

Content-Length: 12

Vary: Accept-Encoding

Content-Type: text/plain

Hello World!

-------------------------------------------------

HTTPS protocols remedies this by using secure sockets Layer (TLS/SSL) certificate, which creates a secure encrypted link between the server and the browser. As a result, HTTPS is far more secure than HTTP.

In HTTPS, TLS/SSL uses a technology called public key encryption. The two keys, public and private keys, spawn new keys called session keys via the server’s SSL certificate when a user starts a connection between the server and the browser, encrypting further communication between the two devices. As such, anyone who intercepts the communications can only see a random string of characters.

HTTPS, in addition, perform explicit authentication of server identity  using a private key. When a user opens a channel with an origin server (navigates to a website), possession of the private key that matches with the public key in a website’s SSL certificate proves that the server is actually the legitimate host of the website. This helps block possible attacks such as on-path attacks, DNS hijacking, BGP hijacking and domain spoofing.