In this blog post, we have discussed the basic differences between http and https.
HTTP stands for HyperText Transfer Protocol.
HTTPS stands for Hyper Text Transfer Protocol Secure.
If the host of a website starts with https:// then it means all the requests and response on this website are encrypted. They are encrypted using SSL security protocol (Secure Sockets Layer).
On the flip side, if the host starts with http:// (excluding ‘s’) then it means the requests and responses are not encrypted. And, all the communications between client and server are happening in simple plain-text.
So, in case of http:// , it is very much vulnerable to hackers. And, the data being sent in request or response can be seen/stolen by any middleman(intruder).
Why are we saying that in case of http the data can be stolen?
- Hackers can see the request and response in case of https also but since the entire payload will be encrypted so he/she might not be able to extract out any meaningful data out of that.
- But, since in http scenario, the payload is just a plain text so there is not any effort required to extract out meaningful data out of that.
For example: in case of http: attacker will see below request (which is a plain text and easily understandable):GET /helloworld HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Host: www.httpexample.com Accept-Language: en
But, the same request will be visible like below in case of https:d2Fg8W8UV81pQfyhDkhebbz7+oiwldr1j2gHBB3L3RFTRsECpaSnSBZ78Vme+DpDVJPvZdZUZHpvbbcqmSW1+3xXGsERHg9YDbpYk0VVDiRvw1H5miNieJeJ/FNUjcH0BmDRWII6+B7MnDwmCMZUI/orxP3HGwYCSIvyzS3MpmmSe4iaWJKGVB==
To make HTTPS secure, the browser (client) and the server exchange the encryption keys before the actual data transfer. Hence it becomes slower in processing time compare to HTTP.
Till now, we have understood that HTTPS is more secure but slower than HTTP. Considering these, at most of the places we would want to use HTTPS over HTTP. Because security remains our first priority compared to speed.
But, still there can be instances/scenarios where we want to use HTTP over HTTPS . Ex: if we are communicating inside a private network. Both the client and server are in the same private network, which is already secured and no body can enter that network in an unauthorised way. Then, in such cases we can use HTTP instead HTTPS, since the communication is already secured due to private network and we can leaverage the speed of HTTP.
There is one more advantage of using HTTPS along with security, which is SEO. As GOOGLE gives preferences to those websites that use HTTPS rather than the websites that use HTTP.
Comparison in the summarized way:
| # | HTTP | HTTPS |
|---|---|---|
| 1 | Speed of HTTP is faster than HTTPS. | Speed of HTTPS is slower than HTTP due to overhead of encryption mechanism. |
| 2 | It is written in the address bar as http://. | It is written in the address bar as https://. |
| 3 | HTTP does not use encryption, which results in low security in comparison to HTTPS. | HTTPS uses Encryption which results in better security than HTTP. |
| 4 | HTTP Works at the Application Layer. | HTTPS works at Transport Layer. |
| 5 | HTTP uses 80 port number for communication. | HTTPS uses 443 port number for communication. |