HTTP, HTTPS, SSL and TLS Explained

HTTP stands for Hypertext Transfer Protocol and this is probably the most widely used protocol in the world today. HTTP is the protocol that is used for viewing web pages on the Internet. When you type in a web address, like google.com, you’ll notice that HTTP is automatically added at the beginning of the web address. This indicates that you are using HTTP to retrieve the web page.

HTTP and Clear Text

When using standard HTTP, all the information is sent in clear text. When we say all information, we mean all the information that is exchanged between your computer and that web server, which includes any text that you type on that website. Since that information is transferred over the public Internet in clear text, it’s vulnerable to eavesdropping.

Normally this is not be a big deal if you are just browsing regular websites and no sensitive data such as passwords or credit card information are being used. However, if you were to type in personal, sensitive data like your name address, phone number, passwords or credit card information, that sensitive data is vulnerable because a hacker can listen in as that data is being transferred and steal your information.

HTTPS

Since sending sensitive data using HTTP (clear text) represents a big security risk, HTTPS was developed. HTTPS stands for Secure Hypertext Transfer Protocol and this is HTTP with a security feature. Secure HTTP encrypts the data that being retrieved by HTTP. It ensures that all the data that’s being transferred over the Internet between computers and servers is secure by making the data impossible to read. It does this by using encryption algorithms to scramble the data that’s being transferred.

For example if you were to go to a website that requires you to enter personal information such as passwords or credit card numbers, you will notice that an S will be added to the HTTP in the web address, like https://www.saadz26.sg-host.com. This ‘s’ in ‘https’ indicates that you are now using Secure HTTP and have entered a secure website where sensitive data is going to be protected. In addition to the ‘s’ being added, a lot of web browsers will also show a padlock symbol in the address bar to indicate that Secure HTTP is being used.

By using Secure HTTP all the data which includes anything that you type is no longer sent in clear text. Instead, it’s scrambled in an unreadable form as it travels across the internet. So, if a hacker were to try and steal your information he would get a bunch of meaningless data because the data is encrypted and the hacker would not be able to crack the encryption to unscramble the data.

SSL

Secure HTTP protects the data by using one of two protocols, and one of these protocols is SSL. SSL or Secure Sockets Layer is a protocol that’s used to ensure security on the Internet. It uses Public Key Encryption to secure data.

When a computer connects to a website that’s using SSL, the computer’s web browser will ask the website to identify itself. The web server will do that by sending a copy of its SSL certificate to your computer. An SSL certificate is a small digital certificate that is used to authenticate the identity of a website. Basically, it’s used to let your computer know that the website you’re visiting is trustworthy. The computer’s browser will check that certificate to make sure that it can trust the certificate. If it does, it will send a message to the web server saying that it trusts him. After that, the web server will respond back with an acknowledgment so that SSL session can proceed. After all these steps are complete, encrypted data can be exchanged between your computer and the web server.

TLS

The other protocol used to secure HTTP is called TLS. TLS or Transport Layer Security is the latest industry standard cryptographic protocol. It is the successor to SSL and it’s based on the same specifications. Like SSL, it also authenticates the server, client and encrypts the data.

Google and HTTPS

It’s also important to point out that a lot of websites are now using secure HTTP by default on their websites regardless if sensitive data is going to be exchanged or not. This has to do with Google, because Google is now flagging websites as “not secure” if they are not protected with SSL. If a website is not SSL protected, Google will penalize that website in their search rankings. That’s why now if you go to any major website you’ll notice that Secure HTTP is being used rather than standard HTTP. The good thing about this is that you can get your certificates for free using the service like Let’s Encrypt.