The difference between HTTPS and HTTP

Source: Internet
Author: User
Tags ssl connection

What is HTTPS?

HTTPS (Hypertext Transfer Protocol based on Secure Sockets Layer or HTTP over SSL) is a WEB protocol developed by Netscape.

You can also say: HTTPS = HTTP + SSL

HTTPS uses the Secure Sockets layer as a child layer on the basis of the HTTP application layer.

Why do I need HTTPS?

Hypertext Transfer Protocol (HTTP) is a protocol used to transmit and receive information over the Internet. HTTP uses a request/response process, so information can be transmitted quickly, easily, and precisely across the server. When you visit the Web page you are using the HTTP protocol, but HTTP is not secure, you can easily eavesdrop on the data transmission between you and the Web server. In many cases, a sensitive rest is transmitted between the client and the server and needs to be protected from unauthorized access. To meet this requirement, Netscape (Netscape) introduced HTTPS, the HTTP protocol based on Secure Sockets Layer.

The same point of HTTP and HTTPS

In most cases, HTTP and HTTPS are the same because both are based on the same underlying protocol as the HTTP or HTTPS client-browser, which establishes a connection to the specified port on the WEB server. When the server receives the request, it returns a status code along with the message, which may be a request for information, or an error message that indicates an error was sent. The system uses the Uniform Resource Locator URI pattern, so resources can be uniquely specified. The only difference between HTTPS and HTTP is that the protocol header (HTTPS) is the only one, and the others are the same.

The difference between HTTP and HTTPS
    1. The URL of HTTP starts with//, and the URL of HTTPS starts with https://
    2. HTTP is not secure, and HTTPS is secure
    3. The HTTP standard port is 80, while the standard port for HTTPS is 443
    4. In the OSI network model, HTTP works in the application layer, while HTTPS works on the transport layer
    5. HTTP does not require encryption, and HTTPS encrypts transmitted data
    6. HTTP does not require a certificate, and HTTPS requires an authentication certificate
How does HTTPS work?

When using HTTPS connections, the server requires a public key and a signed certificate.

When using an HTTPS connection, the server responds to the initial connection and provides the encryption methods it supports. In response, the client chooses a connection method, and the client and server-side Exchange certificates authenticate each other. When you are done, transfer the encrypted information and then close the connection, making sure that the same key is used. In order to provide HTTPS connection support, the server must have a public key certificate that contains the certificate authority-certified key information, most of which are authorized by a third-party authority to ensure that the certificate is secure.

In other words, HTTPS, like HTTP, only adds SSL.

HTTP contains the following actions:

    1. Browser opens a TCP connection
    2. The browser sends an HTTP request to the server side
    3. The server sends HTTP response information to the browser
    4. TCP Connection shutdown

SSL includes the following actions:

    1. Verify server-side
    2. Allows client and server-side selection of encryption algorithms and passwords to ensure both sides support
    3. Verifying the client (optional)
    4. Use public key cryptography to generate shared encrypted data
    5. To create an encrypted SSL connection
    6. Passing HTTP requests based on this SSL connection
When should I use HTTPS?

Bank websites, payment gateways, shopping sites, landing pages, e-mail, and some enterprise department sites should use HTTPS, for example:

    • Paypal:https://www.paypal.com
    • Google adsense:https://www.google.com/adsense/

If a website asks you to fill out credit card information, first you need to check whether the webpage uses HTTPS encrypted connection, if not, then please do not enter any sensitive information such as credit card number.

Browser integration

Most browsers display a warning message when they receive an invalid certificate, and some older browsers pop up a dialog box to let the user choose whether to continue browsing. The new browser typically displays a banner warning message throughout the window, while displaying security information for the site on the address bar. If your site contains encrypted and non-encrypted mixed content, most browsers will prompt for warning messages.

=======================================================

Prefixing the URL with the https://prefix indicates that it is encrypted with SSL. The transmission of information between your computer and the server will be more secure. The Web server enables SSL by obtaining a server certificate and binding the certificate to the server that is using SSL. HTTP and HTTPS use a completely different connection, the same port, the former is 80, the latter is 443.

The HTTPS protocol is a network protocol built by the SSL+HTTP protocol that can encrypt transmission and identity authentication.
is more secure than the HTTP protocol

HTTPS (Secure hypertext Transfer Protocol) Secure Hypertext Transfer Protocol
It is a secure communication channel that is based on HTTP development and is used to exchange information between client computers and servers. It uses Secure Sockets Layer (SSL) for information exchange, which simply means that it is a secure version of HTTP.
It is developed by Netscape and built into its browser to compress and decompress data and return the results that are sent back on the network. HTTPS actually applies the Netscape secure full Socket Layer (SSL) as a sub-layer of the HTTP application layer. (HTTPS uses port 443 instead of using port 80来 and TCP/IP to communicate like HTTP.) SSL uses 40-bit keywords as the RC4 stream encryption algorithm, which is appropriate for the encryption of business information. HTTPS and SSL support use of the digital authentication of the number, and if necessary, the user can confirm who the sender is.
The difference between HTTPS and http:
The HTTPS protocol requires a certificate to be applied to the CA, and the general free certificate is very small and requires a fee.
HTTP is a Hypertext Transfer Protocol, the information is plaintext transmission, HTTPS is a secure SSL encryption transport protocol
HTTP and HTTPS use a completely different connection method with the same port, the former is 80, the latter is 443.
The HTTP connection is simple and stateless.
HTTPS protocol is a network protocol built by Ssl+http protocol which can encrypt transmission and authentication, which is more secure than HTTP protocol.
HTTPS resolves the issue:
1. The problem of trusting the host. Server with HTTPS must request a certificate from the CA that is used to certify the server's purpose type. The client trusts the secondary host only when the certificate is used for the corresponding server. So at present, all the banking system website, the key part of the application is HTTPS. The client trusts the host by trusting the certificate. In fact, this is inefficient, but banks are more focused on security. This does not make any sense to us, our server, the use of certificates regardless of their own issue or from the public place issue, the client is one of our own, so we will certainly trust the server.
2. Disclosure and tampering of data in the course of communication
1. In general, HTTPS means that the server has a certificate.
A) The main purpose is to ensure that server is the server he claims to be. This is the same as the 1th.
b) All communication between the server and the client is encrypted.
I. Specifically, the client generates a symmetric key that is exchanged through the server's certificate. The handshake process in the general sense.
II. All information exchanged is encrypted. A third party, even if intercepted, does not make any sense. Because he doesn't have a key. Of course, there's no point in tampering.
2. A small amount of client-side requirements, the client will also be required to have a certificate.
A) Here the client certificate, in fact, similar to the personal information, in addition to the user name/password, there is a CA authenticated identity. Should be a personal certificate in general, others cannot emulate, all of which can further confirm their identity.
b) Currently a small number of personal banking Professional Edition is this practice, the specific certificate may be to take a USB flash drive as a backup carrier.
HTTPS must be cumbersome.
A) originally a simple HTTP protocol, a get a response. Because HTTPS is required to also encrypt the key and confirm the encryption algorithm. A single handshake requires 6/7 round trips.
I. In any application, excessive round trip will definitely affect performance.
b) Then the specific HTTP protocol, each response or request, requires the client and the server to encrypt/decrypt the contents of the session.
I. Although symmetric encryption/decryption efficiency is high, but still consumes too much CPU, for this there is a dedicated SSL chip. If the CPU signal is low, it will certainly degrade performance, thus not serve more requests.
II. The impact of the amount of data after encryption. So, there are so many security certification tips

The difference between HTTPS and HTTP

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.