HTTP vs HTTPS: Similarities and Differences

What is HTTPS?
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol
developed by Netscape.
One can say: HTTPS = HTTP + SSL
HTTPS uses Secure Socket Layer (SSL) as a sub layer under its regular HTTP application layering.

Here are some major differences between HTTP and HTTPS:

HTTP

HTTPS

URL begins with http://

URL begins with https://

It uses port 80 for

It uses port 443 for

communication

communication

Unsecured

Secured

Operates at Application Layer Operates at Transport Layer

No encryption

Encryption is present

No certificates required

Certificates required

Need of HTTPS:
Hypertext Transfer Protocol (HTTP) is a protocol for transmitting and receiving information across the
Internet. HTTP serves as a request and response procedure that all agents on the Internet follow so that
information can be rapidly, easily, and accurately disseminated between servers, which hold information,
and clients, who are trying to access it. You normally use HTTP when you are browsing the web, its not
secure, so someone can eavesdrop on the conversation between your computer and the web server. In
many cases, clients may be exchanging confidential information with a server, which needs to be secured
in order to prevent unauthorized access. For this reason, https, or secure http, was developed by
Netscape corporation to allow authorization and secured transactions.
Similarity between HTTP and HTTPS:
In many ways, https is identical to http, because it follows the same basic protocols. The http or https
client, such as a Web browser, establishes a connection to a server on a standard port. When a server
receives a request, it returns a status and a message, which may contain the requested information or
indicate an error if part of the process malfunctioned. Both systems use the same Uniform Resource
Identifier (URI) scheme, so that resources can be universally identified. Use of https in a URI scheme
rather than http indicates that an encrypted connection is desired.
Difference between HTTP and HTTPS:
1. URL begins with http://" in case of HTTP while the URL begins with https:// in case of HTTPS.
2. HTTP is unsecured while HTTPS is secured.
3. HTTP uses port 80 for communication while HTTPS uses port 443 for communication.
4. HTTP operates at Application Layer while HTTPS operates at Transport Layer.
5. No encryption is there in HTTP while HTTPS uses encryption.
6. No certificates required in HTTP while certificates required in HTTPS.
How HTTPS works?
For HTTPS connection, public key and signed certificates are required for the server.

When using an https connection, the server responds to the initial connection by offering a list of
encryption methods it supports. In response, the client selects a connection method, and the
client and server exchange certificates to authenticate their identities. After this is done, both parties
exchange the encrypted information after ensuring that both are using the same key, and the connection
is closed. In order to host https connections, a server must have a public key certificate, which embeds
key information with a verification of the key owner's identity. Most certificates are verified by a third party
so that clients are assured that the key is secured.
In other words, we can say, HTTPS works similar to HTTP but SSL adds some spice in it.
HTTP includes the following actions:
1. The browser opens a TCP connection.
2. The browser sends a HTTP request to the server
3. The server sends a HTTP response to the browser.
4. The TCP connection is closed.
SSL will include the following actions:
1. Authenticate the server to the client.
2. Allow the client and server to select the cryptographic algorithms, or ciphers, that they both support.
3. Optionally authenticate the client to the server.
4. Use public-key encryption techniques to generate shared secrets.
5. Establish an encrypted SSL connection.
6. Once the SSL connection is established the usual transfer of HTTP requests will continue.
Where should https be used?
HTTPS should be used in Banking Websites, Payment Gateway, Shopping Websites, Login Pages,
Emails (Gmail offers HTTPS by default in Chrome browser) and Corporate Sector Websites. For
example:

Beware of using Credit Card Numbers on Internet: If a website ever asks you to enter your credit card
information, you should automatically look to see if the web address begins with https://. If it doesn't,
there's no way you're going to enter sensitive information like a credit card number!
Browser integration
Most browsers display a warning if they receive an invalid certificate. Older browsers, when connecting to
a site with an invalid certificate, would present the user with a dialog box asking if they wanted to
continue. Newer browsers display a warning across the entire window. Newer browsers also prominently
display the site's security information in the address bar. Extended validation certificates turn the address
bar green in newer browsers. Most browsers also display a warning to the user when visiting a site that
contains a mixture of encrypted and unencrypted content.