The difference between HTTP and HTTPS

Source: Internet
Author: User
Tags ssl certificate ssl connection

What is HTTPS? HTTPS (Hypertext Transfer Protocol based on Secure Sockets Layer or HTTP over SSL) is a WEB protocol developed by Netscape. You can also say that HTTPS = http + Sslhttps uses the Secure Sockets layer as a child layer on the basis of the HTTP application layer. Why do I need HTTPS? Hypertext Transfer Protocol (HTTP) is a protocol used to transmit and receive information over the Internet. HTTP uses a request/response process, so information can be transmitted quickly, easily, and precisely across the server. When you visit the Web page you are using the HTTP protocol, but HTTP is not secure, you can easily eavesdrop on the data transmission between you and the Web server. In many cases, a sensitive rest is transmitted between the client and the server and needs to be protected from unauthorized access. To meet this requirement, Netscape (Netscape) introduced HTTPS, the HTTP protocol based on Secure Sockets Layer. HTTP and HTTPS are the same point in most cases, HTTP and HTTPS are the same because both are using the same underlying protocol as the HTTP or HTTPS client-browser, which establishes a connection to the specified port on the WEB server. When the server receives the request, it returns a status code along with the message, which may be a request for information, or an error message that indicates an error was sent. The system uses the Uniform Resource Locator URI pattern, so resources can be uniquely specified. The only difference between HTTPS and HTTP is that the protocol header (HTTPS) is the only one, and the others are the same. The difference between HTTP and HTTPS
    1. The URL of HTTP starts with//, and the URL of HTTPS starts with https://
    2. HTTP is not secure, and HTTPS is secure
    3. The HTTP standard port is 80, while the standard port for HTTPS is 443
    4. In the OSI network model, HTTP works in the application layer, while HTTPS works on the transport layer
    5. HTTP does not require encryption, and HTTPS encrypts transmitted data
    6. HTTP does not require a certificate, and HTTPS requires an authentication certificate
How does HTTPS work? When using HTTPS connections, the server requires a public key and a signed certificate. When using an HTTPS connection, the server responds to the initial connection and provides the encryption methods it supports. In response, the client chooses a connection method, and the client and server-side Exchange certificates authenticate each other. When you are done, transfer the encrypted information and then close the connection, making sure that the same key is used. In order to provide HTTPS connection support, the server must have a public key certificate that contains the certificate authority-certified key information, most of which are authorized by a third-party authority to ensure that the certificate is secure. In other words, HTTPS, like HTTP, only adds SSL. HTTP contains the following actions:
    1. Browser opens a TCP connection
    2. The browser sends an HTTP request to the server side
    3. The server sends HTTP response information to the browser
    4. TCP Connection shutdown
SSL includes the following actions:
    1. Verify server-side
    2. Allows client and server-side selection of encryption algorithms and passwords to ensure both sides support
    3. Verifying the client (optional)
    4. Use public key cryptography to generate shared encrypted data
    5. To create an encrypted SSL connection
    6. Passing HTTP requests based on this SSL connection
When should I use HTTPS? Bank websites, payment gateways, shopping sites, landing pages, e-mails, and some enterprise department sites should use HTTPS, for example:
    • paypal:https://www.paypal.com
    • Google adsense:https://www.google.com/adsense/
If a website asks you to fill out credit card information, first you need to check whether the webpage uses HTTPS encrypted connection, if not, then please do not enter any sensitive information such as credit card number. Browser integration Most browsers display a warning message when they receive an invalid certificate, while some older browsers pop up a dialog box to let the user choose whether to continue browsing. The new browser typically displays a banner warning message throughout the window, while displaying security information for the site on the address bar. If your site contains encrypted and non-encrypted mixed content, most browsers will prompt for warning messages. The advantages of HTTPS although HTTPS is not completely secure, the organization that master the root certificate, the organizations that master the encryption algorithm can also be in the form of an intermediary attack, but HTTPS is still the most secure solution under the current architecture, mainly has the following advantages: (1) Use the HTTPS protocol to authenticate users and servers,  Ensure that the data is sent to the correct client and server; (2) HTTPS protocol is a network protocol constructed by Ssl+http protocol which can encrypt transmission and authentication, which is more secure than HTTP protocol, which can prevent the data from being stolen, changed and ensured the integrity of data in the transmission process.  (3) HTTPS is the safest solution under the current architecture, although not completely secure, but it dramatically increases the cost of a man-in-the-middle attack. (4) Google adjusted the search engine algorithm in August 2014, saying that "sites with HTTPS encryption will be ranked higher in search results than equivalent HTTP sites." The disadvantage of HTTPS, although said that HTTPS has a great advantage, but its relative, there are shortcomings: (1) HTTPS protocol handshake phase is more time-consuming, will make the page load times to extend nearly 50%, increase 10% to 20% power consumption; (2) HTTPS connection cache is less efficient than HTTP  will increase data overhead and power consumption, and even existing security measures will be affected; (3) SSL certificates require money, the more powerful the higher the cost of the certificate, personal sites, small sites are not necessary generally not used.    (4) SSL certificates usually require binding IP, cannot bind multiple domain names on the same IP, IPV4 resources cannot support this consumption. (5) HTTPS protocol encryption range is also relatively limited, in the hacker attacks, denial of service attacks, server hijacking and other aspects of almost no role. The most critical, SSL certificate of the credit chain system is not secure, especially if some countries can control the CA root certificate in the case of a man-in-the-middle attack as feasible. HTTP switch to HTTPS What if you need to switch the Web site from http to https?       All links in the page, such as js,css, images, etc., will be changed from HTTP to HTTPS. Example: http://www. baidu.com to Https://www.baidu.com BTW, although it is recommended that HTTP be reserved for HTTPS. So we can do the HTTP and HTTPS compatibility when switching, the implementation is to remove the HTTP header in the page link, which can automatically match the HTTP headers and HTTPS headers. For example: Change http://www.baidu.com to//www.baidu.com. Then when the user enters the access page from the HTTP entry, the page is HTTP, and if the user is accessing the page from the HTTPS portal, the page is even https.

The difference between HTTP and HTTPS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.