HTTP vs HTTPS in detail
HTTP stands for ‘hypertext transport protocol’ and is an application layer protocol of the TCP/IP model used to transmit hypermedia such as HTML.
HTTP plays a vital role between client and server because it helps the client to send data to the server and the server responds via HTTP.
As you can clearly see in the above diagram HTTP is a medium or bridge between client and server all the data either sent to the server or receiving back to the browser are using HTTP.
If you are not aware of the client and server architecture, I highly recommend you, check out this article. Client-server architecture
Now, understand why should we prefer HTTPS instead of simply HTTP.
Problem with HTTP: We are communicating via the internet which is absolutely unsecure network and sending sensitive data in plaintext over HTTP is very risky because anyone who is having an understanding of the network can view what data we are sending through HTTP, for sending the basic query and receiving public data from the server it is fine when you are sending password for authentication or you sending bank details or any personal or sensitive information we never want to disclose our data via any middleman.
In the nutshell, the main problem with HTTP is that it sends data in plaintext which is readable by anyone.
HTTPS: HTTPS is an extended version of HTTP with an additional ‘S’, S stands for secure. When we send data through HTTPS, data will be encrypted and even if a middleman got access to data, they won’t be able to read encrypted data.
How HTTPS makes data secure: In order to understand internal mechanisms we need to understand a few terminologies related to encryption.
Type of Encryption:
Symmetric Encryption: When we have the same key for encryption and decryption.
Asymmetric Encryption: When we maintain two keys one for encrypting the data and one for decrypting, a key that is used to encrypt is publicly available so that anyone secures their data via public key but once you encrypt a file, it can only be decrypted via Private key which is confidential and only available to the owner.
Let’s understand via metaphor: symmetric is like having the same key for locking a door, you need to use the same key for locking and unlocking but in
asymmetric, you have two separate keys one for locking the door which is publicly available and another for unlocking it which is private to the owner only, without the private key you can’t unlock it.
TLS/SSL: SSL stands for secure socket layer and it is a protocol by which two machines can communicate securely. SSL Certificate is a digital document that binds the identity of a website with an asymmetric key[public and private]. There are recognized authorities that issue a SSL Certificate, via implementing them you can make a secure connection between server and client.
TLS (Transport Layer Security) is just an updated, more secure, version of SSL.
How HTTPS uses SSL to secure connection:
Let’s understand step by step how HTTPS makes a secure connection.
Step 1: During the TCP handshaking, the Client/browser Sends a request to the server.
Step 2: Server responding with SSL Certificate which is having public key for asymmetric encryption.
Step 3: The client browser sent a new key called session key by encrypting using the public key given by the server in SSL Certificate.
Step 4: Once the server received the Session key, it will decrypt using its private key and acknowledge the client for sending data.
Step 5: Now the client/browser sends data encrypted using the session key and the server will also use the same key for decrypting the data, that is how HTTPS makes a secure connection in most unsecure network called the internet.
Why we are using symmetric key: We are using symmetric encryption because it is faster than asymmetric, that’s why we need to use a combination of both.
Summary: We have seen both HTTP AND HTTPS, nowadays it is recommended to use HTTPS, reasons are well explained. You should always prefer well-known authorities for SSL certificates otherwise you may face issues in browsers like chrome because they highly encourage authentic SSL Certificates. This is all about this article, do comment and let me know your doubts. Thank you.😊😊😊
