You have most likely come across “https” in the address bar of a webpage or seen it in web URLs. Same way you have seen “http”. However, are you really sure you know the difference between them both? As we all know, “HTTPS” stands for Hypertext Transfer Protocol Secure which is basically a combination of HTTP and TLS (Transport Layer Security) or SSL (Secure Socket Layer).You know it's HTTPS when you see the tiny padlock around the address bar.
About HTTP
Hypertext Transfer Protocol (HTTP) is what the internet uses to load web pages. Say you want to purchase some items online and have to visit the shop's website. HTTP is responsible for loading the web page for you to see. There are certain rules that must be followed, a format, and steps taken from when you request for a web page by inputting a URL to when the page rendered. Now thanks to HTTP, your're able to access the website and navigate across pages. However, in order to add items to your cart, you will have to login with your email and password. Most especially at this point where we are dealing with passwords,we may want to ensure this site is secure so that our password wouldn't be stolen as we are trying to authenticate. That is where our beloved “S” comes in.
The “S” in “HTTPS”
Picture it like a secure version of HTTP. It just provides an extra layer of security to prevent hackers or malicious individuals from stealing any sensitive data which is exchanged between the client and the server. It does this by using TLS though SSL was what was previously used. It is a security protocol that encrypts data between your browser and website or 2 servers. This is just like having a private conversation with your friend but speaking in a different language known to just you and that friend. Chances are someone may eavesdrop to your conversation but they wouldn't understand hence your messages are safe.
Back to us logging in to the shop website so that we can finally add items to the cart, TLS will encrypt our password as we are making an POST request to the server to authenticate us. The password will be converted into giberrish such that even if a middle man manages to steal it, it will be useless.
You must be wondering how the server will know that's actually the password since it has been converted to “giberrish”. Well it does this using an assymetric public key infrastructure where there is a public and a private key. The public key is used to encrypt the data while the private key lives in the web server where it is used to decrypt the data.
Why TLS is important for websites?
At this point you should understand that HTTPS is an implementation of HTTP with TLS for security. TLS ensures 3 main things:
-
Encryption: Which hides the data from any third parties.
-
Authentication: This makes sure the client and server can verify the identity of each other and be sure they are who they claim to be. For example Alice and Sarah want to communicate with each other. Alice has to be sure she is actually in communication with Sarah and vice versa.
-
Integrity: This makes sure the data has not been altered or tampered with.
For websites that use TLS, they have a TLS or SSL certificate. It is usually issued by a certificate authority to whoever owns the domain name. It is issued alongside a public and private key. A TLS connection is immediately initiated when a user navigates to a website using TLS. This is also known as a TLS handshake which occurs between the user's device and the server. It is during this handshake that authentication between the client ad the server occurs to proof their identities. This is done using the public key which is part of the TLS certificate. Once the handshake has been established, secure commuication can now occur between the client an the server.
The adoption of HTTPS has become increasingly important to ensure the security and privacy of online communication. It is particularly essential for websites that handle sensitive information, such as login credentials, payment details, and personal data. Most modern web browsers now mark HTTP websites as “Not Secure” to encourage the use of HTTPS and better protect users. Therefore, for the credibility of your website, make sure you adopt the use of HTTPS.