You are here

HTTP vs. HTTPS: What's the Difference?

SSL is the secret to securely moving data online.

This may sound silly to technophiles, but plenty of people don’t understand how secure Web sites work.

People often ask how they can shop on a Web site, giving out personal information, and feel even remotely safe? After all, you’re sending identifying data, without guide or guard, into the vast expanse of cyberspace. Expecting your data to arrive at the right place at all, let alone safely, seems like putting your faith in a miracle. How does it work? The secret lies in a trusted third party and good encryption.

The HyperText Transfer Protocol is an application layer protocol, which means it focuses on how information is presented to the user of the computer but doesn’t care a whit about how data gets from Point A to Point B. It is stateless, which means it doesn’t attempt to remember anything about the previous Web session. This is great because there is less data to send, and that means speed. And HTTP operates on Transmission Control Protocol (TCP) Port 80 by default, meaning your computer must send and receive data through this port to use HTTP. Not just any old port will do.

Secure HyperText Transfer Protocol (HTTPS) is for all practical purposes HTTP. The chief distinction is that it uses TCP Port 443 by default, so HTTP and HTTPS are two separate communications. HTTPS works in conjunction with another protocol, Secure Sockets Layer (SSL), to transport data safely. Remember, HTTP and HTTPS don’t care how the data gets to its destination. In contrast, SSL doesn’t care what the data looks like. People often use the terms HTTPS and SSL interchangeably, but this isn’t accurate. HTTPS is secure because it uses SSL to move data.

(Editor's note: For an updated take on the HTTP vs. HTTPS debate, visit this BizTech article: "The HTTP vs. HTTPS Debate Is Over: Only One Helps Keep Your Business Safe.")

Going Through the Process

With HTTP, you sit at your browser and interact with data. HTTP’s job is to present that data to you, and browsers are the means of doing so. Mozilla’s Firefox browser, for example, understands HTTP instructions and arranges the data as the site’s designer intended. The browser knows what to do when you click. It uses HTTP to do this. But HTTP cannot do much beyond that. How the data travels from Point A to Point B, or even if it travels at all, is none of HTTP’s concern. This is a great compromise if you want speed and elegance and couldn’t care less about security. One does not require security to view BizTech’s latest online articles, for instance.

With HTTPS, the story is quite the same. But when security is a must, HTTPS differentiates one sender and receiver from another. SSL takes the data, going or coming, and encrypts it. This means that SSL uses a mathematical algorithm to hide the true meaning of the data. The hope is that this algorithm is so complex it is either impossible or prohibitively difficult to crack. 

The encryption begins when the owner of the Web site purchases a time-sensitive certificate from a trusted certificate authority such as VeriSign. You can get a certificate anywhere, or even make your own, but is it trusted? Your browser will let you know. This certificate is a security code created specifically for that one user, or even for that one Web site. The code is so complex that no one else on Earth should have a duplicate.

Getting a certificate can be an involved task. All types of information must be recorded so the issuer of the certificate can be a reliable authority on the certificate’s owner. Information that must be provided includes the name of the site and even the name of the server that hosts the site. Complexity makes counterfeiting incredibly difficult.

This makes the issuer a trusted third party. When your browser sees the secure Web site, it uses the information in the certificate to verify that the site is what it claims to be. Browsers commonly indicate security by presenting a picture of a shiny closed lock at the bottom of the screen. This process is not always perfect because of human error. Maybe is a valid banking site, but is not. We call that phishing. Unscrupulous people phish for careless people. So be cautious. After the identity of the Web site is accepted, the encryption is negotiated between the browser and the Web server, and the data is all but locked up tight.

Knowing the difference between HTTP and HTTPS can help users buy with confidence and help businesses get started in electronic commerce.

Jul 05 2007