How HTTPS Works and Difference from HTTP

What is HTTPS?

HTTPS (HyperText Transfer Protocol Secure) is HTTP extension that adds security layer for data transfer between web browser and server. HTTPS uses encryption to protect data, making it much more secure compared to regular HTTP. This is especially important for protecting confidential information such as passwords, credit card numbers and personal data transmitted over internet.

How Does HTTPS Work?

1. SSL/TLS:
   Main difference between HTTPS and HTTP is use of SSL/TLS (Secure Sockets Layer / Transport Layer Security). These protocols provide secure connection between client (e.g., web browser) and server, preventing possibility of intercepting or modifying data during transmission.

2. Encryption:
   When you connect to site via HTTPS, server and client establish secure connection using encryption. This guarantees that all data transmitted between you and server will be encrypted and cannot be intercepted by third parties.

3. Connection Establishment Process (TLS Handshake): When client (e.g., your browser) tries to establish connection with server via HTTPS, several steps occur:

   • Encryption using certificates: Browser checks server's SSL/TLS certificate to verify its authenticity.
   • Session key creation: After server and client agree on security parameters, they create session key that will be used to encrypt data throughout connection.
   • Secure data transmission: After establishing secure communication channel, all data exchange between server and client is encrypted using session key.

4. Digital Certificate: To establish secure connection, server must provide digital certificate confirming its authenticity. This certificate is issued by Certificate Authority (CA) and contains server's public key used to establish secure connection.

Where Does HTTPS Come From?

• When website uses HTTPS, its domain must be linked to valid digital certificate.
• SSL/TLS certificates can be obtained from Certificate Authority. Some provide free certificates (e.g., Let's Encrypt).

How Does HTTPS Differ from HTTP?

1. Encryption:

   • HTTP transmits data in plain text, making them vulnerable to attacks such as interception (man-in-the-middle).
   • HTTPS uses data encryption via SSL/TLS, protecting data from interception and modification.

2. Security:

   • HTTP provides no security guarantees. All data is transmitted in plain text.
   • HTTPS provides data protection as well as server authenticity verification, preventing server spoofing attacks (e.g., phishing).

3. Performance:

   • HTTP works faster as it doesn't require additional steps to establish secure connection.
   • HTTPS may be slightly slower as it requires additional computations for data encryption. However, with technology development and improved server and client capabilities, this difference becomes minimal.

4. Port:

   • HTTP uses port 80.
   • HTTPS uses port 443 for secure connections.

5. Usage:

   • HTTP is usually used for non-secret requests such as public pages or requests not requiring confidentiality.
   • HTTPS is used for all operations requiring security, e.g., authorization, payments, personal information transmission.

When to Use HTTPS?

1. All web applications: If your application requires personal data input (e.g., login, password, payment data), it should use HTTPS to ensure security.

2. SEO: Search engines such as Google prefer sites using HTTPS and may lower ranking of sites that don't provide secure connection.

3. Network attacks: HTTPS protects against attacks such as traffic interception, data spoofing and phishing that can be carried out via unencrypted connections.