What is HTTP (HyperText Transfer Protocol)
It is always necessary to know something about basics before going to the advanced topics. HTTP stands for HyperText Transfer Protocol. It is the system for transmitting and receiving information across the server and the client. The Server is the machine where your website code is placed, and the client is nothing but your browser. HTTP manages the mutual understanding between the server and the client to exchange information or data successfully. The first HTTP had only one method called GET, which would request a page from the server and the response was an HTML page. The latest version of HTTP defines nine request methods. If you visit any website you may see the address gets prefixed with HTTP:// this means your browser is now connected to the server using HTTP. Now the HTTP isn’t the safest way to establish a connection, the problem with HTTP though is that it is vulnerable to people who might want to eavesdrop or see what your activity is all about. This shouldn’t be any concern when you are just browsing any website or just Bing’ing, the problem comes when you are making a financial transaction over the Internet. As we all know, the Internet is not exactly a safe place. Apart from searching and browsing websites, we need to engage in money transactions, online purchases, and secure file transfers. So how do we secure such financial transactions? The answer is HTTPS.
What is HTTPS (Secure HTTP)
HTTPS or Secure HTTP some may call it is a combination of Hypertext Transfer Protocol (HTTP) with SSL/TLS protocol. Now everything you communicate over HTTPS will be sent and received in encrypted form, which adds the element of safety. As when a client makes a request to the server, the server responds by offering a list of encryption methods. When the client connects to a website via HTTPS, the website encrypts the session with a digital certificate. Secure Sockets Layer or SSL uses a cryptographic system that encrypts data with two keys that is browser and server send each other unique codes which are used for encryption for the rest of the talk. Https is used in many situations, such as log-in pages for banking, forms, corporate logins, and other applications in which data needs to be secured. It is always advised to never enter credit card details on websites that run on HTTP. Read: Network Security Threats.
Difference between HTTP and HTTPS
Hope this has cleared the difference between HTTP and HTTPS. If you have any questions or observations to make, please do comment. You can read about HTTPS Security and Spoofing here. HTTPS and SSL are the protocols used to secure the web. In fact, HTTPS uses SSL to get things done. The whole idea with these protocols is to make sure no one can eavesdrop on important data traveling over the web. However, things are not as they seem, because, in truth, SSL is a muddle. Don’t get it twisted, for that doesn’t mean the SSL and HTTPS encryptions are useless to users on the web. They have their problems, but both are much better than HTTP in every way possible.
Some reservations about HTTPS and SSL
Let’s point out a few problems with HTTPS and SSL
Man in the middle attacks
For some odd reason, Man in the Middle attacks are still possible with SSL. The concept is simple; users should be able to connect to their bank’s website over public Wi-Fi because the connection is secure, henceforth, attackers shouldn’t find the means to slip through. An attack through this form could redirect the user to an HTTP website that looks similar to a secured one, and from there, the attackers would have terminals set up in hopes of stealing valuable information.
Too many certificate authorities
Your web browser has a list of certificate authorities built-in. All web browsers only trust certificates issued by the ones built-in. Should users visit a website secured using SSL, it would issue a certificate, and the web browser will proceed to check if the website to make sure the certificate was designed to come from that particular page. Here’s the thing, because there are so many certificate authorities, problems with a single certificate could affect all. That’s never good, and so far, there’s not much webmasters can do about it.
Certificate authorities issuing fake certificates
Unbelievably, fake certificates are out there and causing problems for web users. And even Google and other companies have fallen prey to it in the past. The government or others had the ability to use this rogue certificate to impersonate the official Google page, which would make it possible to perform a Man in the Middle attack. In its defense, ANSSI claimed the certificate was created to spy on its own users, and as such, the French government had no access to it.
Some certificates have downright failed at times
According to studies done in the past, some certificate authorities have failed when delivering certificates. This means, some websites might not require a certificate, but the authority delivers it anyway. If this is being done on a regular basis, then one can only image what other mistakes have been made and are still being made.