What’s the difference between “http” versus “https”? As it turns out, quite a lot. Although to some people it looks like nothing more than an added “s” to a meaningless URL, the truth is that for those who care about being secure and safe while browsing the internet, the “s” in “https” carries plenty of meaning. Allow me to explain.
Take a moment to look at the address bar of your browser. What do you see?
You should see a simple lock next to a URL that begins with “https”.
Now visit the official website of the University of Washington and notice what you see in the place of that lock. If you’re using Google Chrome, it might look something like this.
Notice any difference in the URLs of both websites?
Exactly…the website is marked as “Not Secure”. The URL with https has a padlock icon that indicates that the page you’re visiting uses a secure connection protocol.
Most browsers, including Chrome, Firefox, and other Chrome alternatives, will alert you when a website is “Not Secure”. If you see that message or if the padlock sign is missing, it means the website you’re on is HTTP and not HTTPS.
But why does this matter and what should you as a typical internet user do with this information? We’re going to answer a few fundamental questions about secure URLs including:
Below we’re going to walk through what this means, why it matters and a few vulnerabilities you should look out for.
What is HTTP and HTTPS?
HTTP and HTTPS are internet protocols that define the way information travels across the internet. These protocols represent a set of rules that help to direct that information. The single “s” difference between the two signifies that one is “secured”.
- HTTP = “Hypertext Transfer Protocol”
- HTTPS = “Hypertext Transfer Protocol Secure”
More on what that means below. But first, how do these protocol rules work?
Let’s say, for example, we’re talking about a news channel.
The newscaster will speak in English because its audience speaks English. The use of a specific language can, in this case, be considered a basic rule of operation.
A protocol.
For any communication, both parties set some rules and these rules form the protocol. In terms of communication on the web, there are multiple protocols, these are the two most common.
WARNING: Technical Jargon Ahead! Skip if this bores you.
HTTP = Hyper Text Transfer Protocol
HTTP stands for Hyper Text Transfer Protocol.
It is the most simple protocol and the one that has been used across the web for decades.
This hypertext is sent in plaintext format, which means anyone between the web server (the computer that houses the data of the website you’re trying to access) and your browser can read it.
Because it is plaintext, any computer or hacker that gets between your computer and the server can see all the information being transmitted.
HTTPS = Hyper Text Transfer Protocol Secure
HTTPS stands for Hyper Text Transfer Protocol Secure.
The primary difference is that instead of plaintext, the information transmitted between your computer and the server is hidden behind a secret code that only those computers know.
So even if the snooper tries to spy on what you’re doing, they can’t understand anything.
TL;DR: HTTPS encrypts your data so any snoopers trying to listen to your conversation are unable to do so.
Why are Secure Websites Important?
When you shop online, you might have noticed that the URL always says HTTPS when making the payment (if it doesn’t, make sure you don’t make the payment – it’s not safe!)
This is done to make sure that the financial information you enter is secure and cannot be hacked…
…at least not easily.
This is why it was changed to HTTPS, so the session between your browser and the web server gets encrypted.
In fact, it was cryptographic protocols (set of rules that make things super secure) such as SSL (Secure Sockets Layer) and TLS (Transport Layer Security) that made HTTP turn into HTTPS.
So basically, HTTPS = HTTP + Encryption protocols.
As you can imagine, encryption makes everything more secure.
Should I Care About Encryption?
Yes.
There are several good reasons you should care. Don’t take my word for it. Consider the following:
- Google Cares: Google, the powerful tech giant, has forced websites to ditch HTTP and go for HTTPS. It’s doing this so netizens can be secure when they visit a website. That’s a pretty good reason to start caring.
- You Want Snoopers? Surveys show that the average internet user thinks it is unacceptable for the government to monitor its communications. If you’d rather not give somebody access to your internet activity, you should use https.
- Discourage Hackers: Hackers prey on the most vulnerable. You might think you’re looking at a pretty basic website – maybe reading the news or checking recipes – and this is why you don’t need encryption. But no matter what you do, your activities can be monitored and logged by the government, your internet provider or even a hacker.
- Using Public WiFi: And then there are cases when we use public Wi-Fi networks. Whether it’s a coffee shop or the airport, free Wi-Fi’s have a special charm – after all, they’re free! But these networks are public, so it matters whether or not you encrypt your data while you’re connected to them.
If you’re on such an unsecured connection and you’re browsing an unsecured website, it’s possible for a hacker to see everything you do there.
However, if you access a secured website, the information gets encrypted and becomes extremely difficult to hack.
How are Websites Secured? (SSL Certificates)
SSL certificates are digital certificates given by trusted authorities like Digicert to websites. These certificates act as proofs that a particular website is secure and uses an SSL protocol.
Every time you open a website, your browser will check if it is secure.
Here’s how all this works on a site like AllThingsSecured:
- Authority: I sell domain certificates
- All Things Secured: Hi, I own allthingssecured.com, and here is the documentary evidence. Can I get an SSL certificate?
- Authority: Sure, here’s a certificate with my personal signature.
A user visits All Things Secured over HTTPS.
- User’s Internet Browser: Hello All Things Secured, I’m loading your page on my browser over HTTPS and my operating system says you’re trusted as you have an SSL certificate. Can I now load your page?
- Server: Hi, I have received your encrypted message and only I can decrypt it using my private keys. I have verified you and now you can load the page.
This communication between you, the user, and the website happens in a split second in the background.
WARNING! Security Isn’t Flaw-Proof
A study by Vishwakarma Institute of Information Technology in India (which, ironically, is hosted on an insecure site!) reveals that web developers don’t have enough knowledge about web security.
This lack of awareness opens up a whole lot of security risks for users.
Since users don’t have the mechanism to enforce security on the website they visit, they cannot protect themselves from attacks.
In another study that checked 10,000 HTTPS websites, researchers from Ca’ Foscari University in Italy discovered that 5.5% of websites had exploitable TLS weaknesses.
These weaknesses were due to some issues in the implementation of security on the websites.
And the flaws are subtle enough for the browser to display the secure padlock sign. This kind of issue is not common, but it needs to be noted that https doesn’t ensure absolute security.
How You Can Be Secure Online in 2024
Every form of security has weaknesses, but that doesn’t mean you should abandon or ignore it.
Even though HTTPS might not be fool proof, it’s undeniably better than HTTP.
When implemented properly, the security-enhanced protocol adds an extra layer of protection that will help keep your data from being stolen online.
As a website visitor, you cannot do anything to fix the HTTP issue of a website. It has to be fixed by the operator of the website.
What you can do is not visit these websites and go to their substitutes instead.
When a website will start seeing fewer visitors, they might be forced to adopt a better protocol.
Final Thoughts on HTTP versus HTTPS
It’s crazy to think that the websites of such major institutions like Time magazine (they finally secured their site in 2019!), the University of Oxford (they secured their site in 2020!) and the University of Washington still have insecure websites, but it’s true.
Until everybody finally gets on board (and they will, eventually), the best thing you can do is to avoid websites that are listed as “Not Secure” and only transmit sensitive information on websites that are secured by HTTPS.
There are a number of other security measures you can take such as:
- Using a VPN to encrypt all your data;
- Checking the strength of your password to make sure it’s secure.
I’ve listed out 5 important personal security steps you should take here. Each of these small steps, when put together, lead to much higher levels of security while you’re browsing and buying online.
My pleasure. I’m glad it was useful!