What Is The Difference Between HTTP And HTTPS
With Google recently announcing that their Internet browser, Chrome, will be showing a ‘not secure’ warning for websites using HTTP from October 2017, I thought it was only fitting to answer the question what is the difference between HTTP and HTTPS and why is it important.
HTTP Warning In Google Chrome
Google has announced new efforts to encourage website owners to move their sites to HTTPS through the use of their Chrome web browser. The browser will start showing a warning message on pages that have search boxes or forms to fill out on sites that use HTTP instead of the more secure HTTPS.
Google said, “in October 2017, Chrome will show the ‘Not secure’ warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.”
So, if your website is using HTTP, now is the time to start thinking about upgrading to HTTPS.
What Is HTTP?
HTTP stands for Hypertext Transfer Protocol. When you enter HTTP:// in your Internet browsers address bar, in front of the domain, it tells the browser to connect over HTTP.
HTTP uses TCP (Transmission Control Protocol) to send and receive data over the web. In short, it is a protocol that is used by a user and server that allows you to communicate with websites.
As the user, when you type a website address into your browser, your machine or device sends a request message to the HTTP server that hosts the website.
The server then replies with a response message containing status information of that site. For example, the status code ‘HTTP/1.1 200 OK’ tells the browser that the website is accessible without issues and allows the browser to display it.
Other status codes that a server may send back include ‘404 Not Found’ when either the content of that page does not exist or has been moved to another page.
‘502 Bad Gateway’ is another status code whereby the domain name is not resolving to the correct IP address, or not resolving to any IP address.
These status codes are handy, as they tell us what problems are occurring, so we can troubleshoot them correctly.
What Is HTTPS?
HTTPS stands for Hypertext Transfer Protocol Secure (and is sometimes known as HTTP over TLS or HTTP over SSL). When you enter HTTPS:// in your Internet browsers address bar, in front of the domain, it tells the browser to connect over HTTPS.
Websites that use HTTPS should have a redirect in place, so if you type in HTTP:// before the domain, it will redirect to the secured HTTPS version.
Like HTTP, HTTPS also uses TCP (Transmission Control Protocol) to send and receive data over the web, but it does so over a different port with a connection that is encrypted by Transport Layer Security (TLS).
HTTPS transmits the data securely by using an encrypted connection. This is achieved by using a public key that is then decrypted on the recipient side. This public key is deployed on the server, and included within an SSL certificate.
These SSL certificates are cryptographically signed by a Certificate Authority (CA) and each Internet browser has a list of CAs it trusts. Any certificate that is signed by a CA from this trusted list is given a green padlock icon in the browser’s address bar, showing that it is trusted and belongs to that domain.
The process of getting an SSL certificate is relatively simple and is now free, thanks to companies like Let’s Encrypt.
What Is The Difference Between HTTP And HTTPS?
Now we have run through the definition of HTTP and HTTPS, you may still be wondering what is the difference between HTTP and HTTPS? Below lists the main differences in summary:
- Your Internet browsers address bar will display either HTTP or HTTPS, depending upon the connection method that site uses.
- HTTP uses an insecure connection, whereas HTTPS is secured.
- HTTP does not require an SSL certificate whereas HTTPS does.
- HTTP does not require validation of the domain, whereas HTTPS does.
- The data sent by a website over HTTP is not encrypted, whereas websites that use HTTPS encrypt the data before sending.
When Should I use HTTPS?
In the past, it was only advised that you use HTTPS when your website processed sensitive information. This included e-commerce websites that took credit or debit card information through an online checkout.
As a user, we should always look for the little padlock icon, or the HTTPS part of the domain in the browser address bar, before entering any payment details. This ensures our information is safe using the latest encryption techniques.
The need for HTTPS has become greater since 2016 when Google announced that they would start using it as a ranking factor. This meant that those sites that use HTTPS might rank higher than their HTTP equivalents.
However, experiments proved that the amount of work involved when moving a website from HTTP to HTTPS, compared to the small ranking boost that could be achieved by doing so, may not have been worth it.
Therefore, many website owners have refused to move, but that is about to change since the recent update about the Chrome warning.
Google is serious about making the entire web a more secure place and this recent update is a major push to making this a reality. Chrome is the most popular web browser and no one wants security warnings popping up on their website, so ignoring this change is no longer an option.
Now you understand the difference between HTTP and HTTPS, head over to my follow up post WordPress HTTPS Redirect Guide to switch your website in less than 30 minutes! In the meantime, please do post your questions or any thoughts in the comments box below.