What’s the big deal about “http” versus “https”? As it turns out, quite a lot. Although to some people it looks like nothing more than an added “s” to a meaningless URL, the truth is that for those who care about being secure and safe while browsing the internet, the “s” in “https” carries plenty of meaning. Allow me to explain.
Take a moment to look at the address bar of your browser. What do you see?
You should see a simple lock next to a URL that begins with “https”.
Now visit the official website of the University of Washington and notice what you see in the place of that lock. If you’re using Google Chrome, it might look something like this.
Notice any difference in the URLs of both websites?
That’s right, an “S” is missing from “HTTP” in the latter and the website is marked as “Not Secure”. The URL with https has a padlock icon that indicates that the page you’re visiting uses HTTPS.
Most browsers, including Chrome and Firefox, will tell you that the page is “Not Secure” if you use HTTP. If you see that or if the padlock sign is missing, it means the website you’re on is HTTP and not HTTPS.
But why does this matter and what should you as a typical internet user do with this information? Below we’re going to walk through what this means, why it matters and a few vulnerabilities you should look out for.
What are HTTP and HTTPS Anyway?
In short, HTTP and HTTPS are internet protocols.
A protocol is a set of rules that are made to serve a specific purpose. For example, let’s say we’re talking about a news channel. The newscaster will speak in English because its audience speaks English. The use of a specific language can, in this case, be considered a basic rule of operation…a protocol.
For any communication, both parties set some rules and these rules form the protocol. In terms of communication on the web, there are multiple protocols, but the most used ones are HTTP and HTTPS.
WARNING: Technical Jargon Ahead! Skip if this bores you.
HTTP stands for Hyper Text Transfer Protocol and it defines the way information travels on the web. Since HTTP is simple, it was the protocol used for the web for several years. This hypertext is sent in plaintext format, which means anyone between the web server (the computer that houses the data of the website you’re trying to access) and your browser can read it.
Because it is plaintext, any computer or hacker that gets between your computer and the server can see all the information being transmitted. That is HTTP.
HTTPS stands for Hyper Text Transfer Protocol Secured and the primary difference is that instead of plaintext, the information transmitted between your computer and the server is hidden behind a secret code that only those computers know. So even if the snooper tries to spy on what you’re doing, they can’t understand anything. That’s HTTPS.
TL;DR: HTTPS encrypts your data so any snoopers trying to listen to your conversation are unable to do so.
Is Encryption Important While I Browse the Internet?
When you shop online, you might have noticed that the URL always says HTTPS when making the payment (if it doesn’t say HTTPS, make sure you don’t make the payment – it’s not safe!)
This is done to make sure that the financial information you enter is secure and cannot be hacked – at least not easily.
This is why HTTP was changed to HTTPS so the session between your browser and the web server gets encrypted. In fact, it was cryptographic protocols (set of rules that make things super secure) such as SSL (Secure Sockets Layer) and TLS (Transport Layer Security) that made HTTP turn into HTTPS.
So basically, HTTPS = HTTP + Encryption protocols.
As you can imagine, encryption makes everything more secure. As a result, HTTPS is more secure than HTTP.
Should I Care About Encryption?
There are several good reasons you should care. Don’t take my word for it. Consider the following:
- Google, a world-famous tech giant is forcing websites to ditch HTTP and go for HTTPS. It’s doing this so netizens can be secure when they visit a website. That’s a pretty good reason to start caring!
- Surveys show that the average internet user thinks it is unacceptable for the government to monitor its communications. If you don’t want the government to spy on everything you do, you should start using only HTTPS websites.
- Hackers prey on the most vulnerable. You might think you’re looking at a pretty basic website – maybe reading the news or checking recipes – and this is why you don’t need encryption. But no matter what you do, your activities can be monitored and logged by the government, your internet provider or even a hacker.
- And then there are cases when we use public Wi-Fi networks. Whether it’s a coffee shop or the airport, free Wi-Fi’s have a special charm – after all, they’re free! But these networks can be spied on by hackers.
If you’re on such an unsecured connection and you’re browsing an HTTP website, a hacker can see everything you do there. However, if you access an HTTPS website, they cannot see the information you enter on that site.
Behind the Scenes | Secure Websites
SSL certificates are digital certificates given by trusted authorities like Digicert to websites. These certificates act as proofs that a particular website is secure and uses SSL protocol.
Everytime you open a website, your browser will check if it is secure.
Here’s how all this works on a site like AllThingsSecured:
- Authority: I sell domain certificates
- All Things Secured: Hi, I own allthingssecured.com, and here is the documentary evidence. Can I get an SSL certificate?
- Authority: Sure, here’s a certificate with my personal signature.
A user visits All Things Secured over HTTPS.
- User: Hello All Things Secured, I’m loading your page on my browser over HTTPS and my operating system says you’re trusted as you have an SSL certificate. Can I now load your page?
- Server: Hi, I have received your encrypted message and only I can decrypt it using my private keys. I have verified you and now you can load the page.
This communication between you, the user, and the website happens in a split second in the background.
WARNING! Security Isn’t Flaw-Proof
A study by Vishwakarma Institute of Information Technology in India (which, ironically, is hosted on an insecure site!) reveals that web developers don’t have enough knowledge about web security. This lack of awareness opens up a whole lot of security risks for users.
Since users don’t have the mechanism to enforce security on the website they visit, they cannot protect themselves from attacks.
In another study that checked 10,000 HTTPS websites, researchers from Ca’ Foscari University in Italy discovered that 5.5% of websites had exploitable TLS weaknesses. These weaknesses were due to some issues in the implementation of security on the websites.
And the flaws are subtle enough for the browser to display the secure padlock sign. This kind of issue is not common, but it needs to be noted that https doesn’t ensure absolute security.
How You Can Be Secure?
Every form of security has weaknesses, but that doesn’t mean you should abandon or ignore something like HTTPS.
Even though HTTPS might not be fool proof, it’s undeniably better than HTTP. When implemented properly, HTTPS adds an extra layer of security that will help keep your data from being stolen online.
As a website visitor, you cannot do anything to fix the HTTP issue of a website. It has to be fixed by the operator of the website. What you can do is not visit these websites and go to their substitutes instead.
When a website will start seeing fewer visitors, they might be forced to adopt a better protocol – HTTPS.
Final Thoughts | HTTP versus HTTPS
Until everybody finally gets on board (and they will, eventually), the best thing you can do is to avoid websites that are listed as “Not Secure” and only transmit sensitive information on websites that are secured by HTTPS.
There are a number of other security measures you can take such as using a VPN to encrypt all your data or creating secure passwords, but each of these small steps when put together lead to much higher levels of security while you’re browsing and buying online.
Do you have other questions regarding http versus https? Leave a comment below!