GlobalSign Blog

What's the difference between HTTP and HTTPS?

What's the difference between HTTP and HTTPS?

Wait, are there really two of those? Casual users rarely notice them, but HTTP (or, http://) and HTTPS (https://) are both options for the start of a URL, showcasing an important difference in all those web pages you visit on a daily basis. Even if you’re not very keen on finding out how stuff works, we bet this one will expand your horizons. Consider this your first lesson if you’re interested in learning more about internet security.

This is the difference between HTTP and HTTPS, as explained by this amazing infographic created by FirstSiteGuide. Below I’ll explain the most important points.

HTTP: No Data Encryption Implemented

Every URL link that begins with HTTP uses a basic type of “hypertext transfer protocol”. Created by Tim Berners-Lee back in the early 1990’s, when the Internet was still in its infancy, this network protocol standard is what allows web browsers and servers to communicate through the exchange of data.

HTTP is also called “a stateless system”, which means that it enables connection on demand. You click on a link, requesting a connection, and your web browser sends this request to the server, which responds by opening the page. The quicker the connection is, the faster the data is presented to you.

As an “application layer protocol”, HTTP remains focused on presenting the information, but cares less about the way this information travels from one place to another. Unfortunately, this means that HTTP can be intercepted and potentially altered, making both the information and the information receiver (that’s you) vulnerable.

HTTPS: Encrypted Connections

HTTPS is not the opposite of HTTP, but its younger cousin. The two are essentially the same, in that both of them refer to the same “hypertext transfer protocol” that enables requested web data to be presented on your screen. But, HTTPS is still slightly different, more advanced, and much more secure.

Simply put, HTTPS protocol is an extension of HTTP. That “S” in the abbreviation comes from the word Secure and it is powered by Transport Layer Security (TLS) [the successor to Secure Sockets Layer (SSL)], the standard security technology that establishes an encrypted connection between a web server and a browser.

Without HTTPS, any data you enter into the site (such as your username/password, credit card or bank details, any other form submission data, etc.) will be sent plaintext and therefore susceptible to interception or eavesdropping. For this reason, you should always check that a site is using HTTPS before you enter any information.

In addition to encrypting the data transmitted between the server and your browser, TLS also authenticates the server you are connecting to and protects that transmitted data from tampering.

It helps me to think about it like this - HTTP in HTTPS is the equivalent of a destination, while SSL is the equivalent of a journey. The first is responsible for getting the data to your screen, and the second manages the way it gets there. With joint forces, they move data in a safe fashion.  

The Advantages and Disadvantages of HTTPS

As discussed above, HTTPS helps ensure cyber-safety. It is, without any doubt, a better network protocol solution than its older cousin, HTTP.

But, is HTTPS all about the advantages? Perhaps there’s a drawback to it all? Let’s find out.  

The Advantages of Using HTTPS

The security benefits mentioned above - authenticating the server, encrypting data transmission, and protecting the exchanges from tampering - are the obvious main advantages to using HTTPS. Site operators want and need to protect their visitors data (HTTPS is actually a requirement for any sites collecting payment information according to the PCI Data Security Standard) and site visitors want to know that their data is being transmitted securely.

The growing demand for data privacy and security from the general public is another advantage to using HTTPS. In fact, according to We Make Websites, 13% of all cart abandonment is due to payment security concerns. Site visitors want to know that they can trust your site, especially if they are entering financial details, and using HTTPS is one way to do that (i.e. it’s one way to show your visitors that any information they enter will be encrypted).

HTTPS can also help with your SEO. Back in 2014, Google announced HTTPS as a ranking signal. Since then, some studies and anecdotal experience from companies who have implemented HTTPS indicate a correlation to higher rankings and page visibility.

Browsers are also jumping in on efforts to increase HTTPS usage by implementing UI changes that will negatively affect non-HTTPS sites. For example, Google announced earlier this year that Chrome by July (only a few months from now!) that they will mark all HTTP sites as non-secure.

Planned Chrome UI changes from Google’s original announcement in February 2018 (source)

Even if you look at an HTTP site now (in Chrome 66), you can see they’ve added a notification alerting visitors that their connection isn’t secure if you click the “more information” icon in the address bar.

Example HTTP site warning in Chrome 66 (thanks to badssl.com for the example HTTP site)

Firefox has also announced plans to flag HTTP sites. Imagine the impact of this on your brand-building and marketing, your customer acquisition and sales. The only way to face the incoming change is by embracing it - get HTTPS on your site!

Things to Be Aware of Before Switching to HTTPS

Even though the process of switching from HTTP to HTTPS is a one-way street, there are still many people who get side-tracked, probably due to a large number of options laid upon them.

In short, the before mentioned process consists of these four steps:

  1. Obtaining an SSL certificate from a trusted Certificate Authority
  2. Installing it on your site's hosting account
  3. Setting up 301 Redirects by editing .htaccess file in your root folder by adding:
    1. RewriteEngine On
    2. RewriteCond %{HTTPS} off
    3. RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    4. Notifying search engines that your site’s addresses have changed and that anyone is visiting your site after that is automatically redirected to the HTTPS address.

If this still seems complicated to you, don't worry. Your options are not exhausted!

Many hosting companies nowadays offer SSL Certificates as part of their services, doing most of the work themselves (the first three of four steps mentioned above). You only need to point out your visitors to the new addresses. But, beware! This can cost you a few extra dollars.

The Future

Be it as it may, the Internet now has more than 4 billion users, content consumers, shoppers and the like. The combination of user demand (site visitors are more conscious of data security than ever before), regulations (e.g. PCI DSS), and encouragement from browsers (e.g. plans to flag HTTP sites as non-secure), makes it clear that the full transition from HTTP to HTTPS will soon be due.

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.

Share this Post

Recent Blogs