Differences between HTTP and HTTPS
Contents
HTTP vs. HTTPS
The Hypertext Transfer Protocol (HTTP) is the foundation of data exchange on the World Wide Web. It is an application-layer protocol designed within the Internet protocol suite to allow the fetching of resources, such as HTML documents. Tim Berners-Lee initiated the development of HTTP at CERN in 1989. The first documented version, HTTP/0.9, was released in 1991. Because HTTP transmits data in cleartext, information sent between a web browser and a server is vulnerable to interception.[1]
HTTPS (Hypertext Transfer Protocol Secure) is an extension of HTTP that uses encryption for secure communication over a computer network. Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser. Initially, HTTPS used the Secure Sockets Layer (SSL) protocol for encryption. This was later succeeded by Transport Layer Security (TLS). HTTPS provides authentication of the accessed website and protects the privacy and integrity of the exchanged data while in transit.[2]
Comparison table
| Feature | HTTP | HTTPS |
|---|---|---|
| Default port | 80 | 443 |
| Security level | Unsecured; data is sent in plain text | Secured; data is encrypted |
| Encryption | None | TLS/SSL (Asymmetric and symmetric) |
| Authentication | No server or client validation | Server identity is verified via certificates |
| Latency | Lower; no handshake required | Slightly higher due to the TLS handshake |
| Browser indicators | "Not Secure" warning in modern browsers | Padlock icon or "Secure" label |
| SEO impact | None or negative | Recognized as a ranking signal by search engines |
| Certificate requirement | None | Requires a certificate from a Certificate Authority (CA) |
Technical mechanisms
The primary difference between the two protocols lies in the use of a cryptographic coat. HTTP sits directly on top of the Transmission Control Protocol (TCP). In contrast, HTTPS adds a TLS layer between HTTP and TCP. This layer encrypts the HTTP request and response headers as well as the payload data.
When a client connects to an HTTPS server, the server sends its digital certificate to the browser. This certificate contains the public key necessary to begin the secure session. The browser verifies that the certificate was issued by a trusted Certificate Authority, such as Let's Encrypt or DigiCert. After verification, the client and server perform a "handshake" to agree on session keys for symmetric encryption. This prevents man-in-the-middle (MITM) attacks, where an attacker intercepts a connection to steal credentials or inject malicious code.[3]
History and adoption
For much of the history of the web, HTTPS was reserved for login pages and financial transactions. This changed in the mid-2010s as privacy concerns increased. In 2014, Google announced that HTTPS would become a ranking signal in its search algorithms. Following this, browser developers like Mozilla and Google began flagging HTTP sites as "Not Secure" in 2018. Organizations such as the Electronic Frontier Foundation (EFF) promoted the "HTTPS Everywhere" campaign to encourage universal adoption. By 2023, data from transparency reports indicated that over 90% of page loads in Chrome across all platforms were conducted over HTTPS.[4]
References
- ↑ Berners-Lee, T. (1991). "HTTP: A protocol for networked information". CERN.
- ↑ Rescorla, E. (2000). "HTTP Over TLS". RFC 2818. Internet Engineering Task Force.
- ↑ Fielding, R., et al. (1999). "Hypertext Transfer Protocol -- HTTP/1.1". RFC 2616. Internet Engineering Task Force.
- ↑ Google Transparency Report. (2023). "HTTPS usage on Google".
