HTTP vs HTTPS

What is HTTP?
HTTP stands for HyperText Transfer Protocol and is the foundation of the World Wide
Web. Without it the Web wouldn't be what it is today.

An HTTP URL starts with  http:// and has a number 80 port by default.
HTTP is built on top of the TCP/IP network protocol suite and on top of other layers in
the protocol stack.
The TCP/IP is a standardazed set of rules for how browsers and servers are allowed to
communicate over the Internet. After all, the World Wide Web is all about
communication between browsers and servers.
In a nutshell, HTTP is a set of rules and standards for how hypertext files and all kinds
of information are transfered over the web. It's how browsers and servers communicate.

A Typical HTTP Request and Response Flow

HTTP is used when browsers want to get connected to websites.
They communicate by sending HTTP requests and receiving HTTP responses. This is
known as the Request - Response Cycle in a client computer - web server computing
model.

HTTP vs HTTPS 1
 The client, which is typically a web browser like Google Chrome, Mozilla Firefox, or
Apple Safari, makes the request. It does this by entering a human-friendly URL (Uniform
Resource Locator) like  freecodecamp.org  in the address bar at the top of the browser.
That domain name,  freecodecamp.org , is mapped to an IP address with the help of the
Domain Name System (DNS).
The web browser then gets connected to the server and makes an HTTP Request,
asking for the information it needs to receive in order to load a web page.

An HTTP request can look something like this:

An HTTP method, often referred to as an HTTP verb, like  GET . This specific verb is
used to get information back. Another common verb is  POST , which is used when
the client submits data in a form. Verbs specify the action browsers are expecting
from the server.

The path, which in our example is  / , the root path. The server stores all the files
that make up a website, so a request needs to specify which part the browser is
requesting to load.

The HTTP type and its version.

The domain name of the URL.

The web server then receives the request and processes it by looking for the requested
data.

A server is a computer different from the ones we use on a day-to-day basis. Its sole
purpose is to store data and files and retrieve them and distribute them when requested.

The server returns a message, or HTTP Response, back to the browser.

HTTP vs HTTPS 2
 An example of a response is:  HTTP/1.1 200 OK

It first starts with the protocol and version  HTTP/1.1

Next is the HTTP status code, a 3-digit number, which in this case is  200 . It
indicates wether the HTTP request was completed or not. Status codes starting with
a  2  indicate success and that the request was successfully completed. Status
codes starting with a  4 , like  404 , indicate a client side error (for example making a
typo in the URL) so the page is not displayed in the browser. A status code starting
with  5  means a server side error and again the page is not displayed in the
browser.

Next is the status text, human readable text, that summarizes the meaning of the
status code. In this case it's "OK", meaning a successful retrieval of the requested
document.

A HTTP response also includes headers that can look something like this:

date: Thu, 12 Aug 2021 12:07:16 GMT

server: cloudflare
content-type: text/html; charset=utf-8

Headers include important information about the content type sent back, such as the
language, format, and when the response was sent.

Lastly, a response to a 'GET' request includes the optional HTTP body. This contains
the requested information, like the HTML/CSS/JavaScript files that make up the
website.

Then the browser receives the response, renders the page, and closes the connection.
Each time it needs to load a new element on a page (like different styles or images or
videos) it will start a new connection and the whole process repeats again.

Limitations of HTTP
HTTP is fast because of its simplicity, but it does not provide security when data is
exchanged. This is because all the data is transmitted in plain text and nothing is
encrypted at all.

HTTP vs HTTPS 3
 During the transfer, the hypertext data is broken down into 'packets', and anyone with
the right tools, skills, and knowledge between the browser and server can easily view
and steal the information being transmitted.
This means that usernames, passwords, and sensitive information are at risk of being
accessible to attackers, while at the same time the risk of injecting viruses is high.

This means that HTTP is not a secure or private medium, resulting in users feeling
unsafe.

HTTP is safe for certain sites, like blogs, but you should not submit any credit card or
other personal information over an HTTP connection.

What is HTTPS?
HTTPS stands for HyperText Transfer Protocol Secure.

A HTTPS URL starts with  https://  and uses a port number 443 by default.

It's not a separate protocol from HTTP, but it's the more secure and confidential version
of it. It's the safest way to transfer data between a browser and a server.

Most websites nowadays use HTTPS over HTTP. So before submitting any sensitive
information like logging into your bank account and making financial transactions,
always make sure the site uses HTTPS.

You can tell if a site is secure and has an HTTPS connection by the lock icon on the left
hand side of the address bar:

HTTP vs HTTPS 4
 Unlike HTTP which works on the Application Layer, HTTPS works on the Transport
Layer.

How Does HTTPS Work?

Each data packet sent over an HTTPS connection is encrypted and secure, using
cryptographic protocols such as TLS or SSL, on top of HTTP.

Transport Layer Security (TLS), formely known as Secure Sockets Layer (SSL), is the
protocol used to encrypt communications. It is the newer and more secure version of
SSL.
TLS provides security against attacks, and its three main goals are authentication,
privacy, and overall security.

TLS secures communications by using an asymmetric key algorithm, Public Key

Infrastructure (PKI). This system uses two uniquely related keys to encrypt and decrypt
sensitive information, enabling safe communication over the Internet.

Both keys are used in conjunction, and in this way TLS creates a link between sender
and receiver. It makes sure both parties are identified and are really who they say they
are.

HTTP vs HTTPS 5
 First, you have the public key. It is available to view publicly and can be shared with
everyone and anyone who wants to interact with the site.

This key is used to turn plain text into cipher text, to encrypt data, and acts as a lock to
encrypt the data. It also confirms the owner of a private key. Distribution of public keys
to browsers is done with Certificates.
Then, each public key has a unique private key and they work as a pair. You use this
key to decrypt information. Data encrypted with a public key can only be decrypted by
the corresponding unique private key.
It is this unique private key that unlocks the lock and decrypts the data. A private key
also confirms that the information is yours. This key is kept private, stored and available
only to its owner.

A secure connection is set up and certificates are exchanged before any actual data is
transfered.

The client types in the URL of the webpage they want to access. The webpage's server
sends over the TLS or SSL certificate that contains the public key to start the
connection. The client and server go through a lot of back and forth (called a TLS/SSL
handshake) until they establish a secure session.

HTTP vs HTTPS 6