Understanding HTTP, HTTPS, and How They Prevent Man‑in‑the‑Middle Attacks

When browsing, always verify that the site uses HTTPS because HTTP traffic can be intercepted and altered by a man‑in‑the‑middle (MITM) attacker.

1. HTTP protocol – HTTP is a text‑based application‑layer protocol. A typical request looks like:

POST http://www.baidu.com HTTP/1.1
Host: www.baidu.com
Connection: keep-alive
Content-Length: 7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

wd=HTTP

The corresponding response is:

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Type: text/html;charset=utf-8
Date: Thu, 14 Feb 2019 07:23:49 GMT
Transfer-Encoding: chunked

<html>...</html>

Because the payload is transmitted in clear text, an attacker can read and modify both request and response, as illustrated by a simple example where a forum post is changed from “I love Java” to “I love PHP”.

2. Preventing MITM attacks – One naïve solution is to encrypt the payload with a symmetric algorithm such as AES, but the key exchange itself remains exposed, allowing the attacker to capture the AES key during the first handshake.

To protect the key, asymmetric encryption (RSA) is introduced: the server generates a public‑private key pair, sends the public key to the client, the client creates a random AES key, encrypts it with the server’s public key, and sends the ciphertext back. The server decrypts it with its private key and both sides then use the shared AES key for symmetric encryption.

However, a sophisticated MITM can act as a proxy, presenting its own certificate, stealing the client‑generated AES key, and thus regaining the ability to decrypt the traffic.

3. HTTPS (SSL/TLS) – HTTPS is essentially HTTP over SSL/TLS. The TLS handshake performs the same public‑key exchange, authenticates the server’s certificate, and establishes a symmetric session key for the rest of the communication.

The server’s certificate is issued by a trusted Certificate Authority (CA). Browsers contain a set of root CA certificates; during verification they build a chain from the server’s certificate up to a trusted root, checking signatures at each level.

Verification works by decrypting the certificate’s signature with the issuer’s public key and comparing it to a locally computed hash; a match confirms the certificate has not been tampered with.

Through this PKI‑based trust model, HTTPS prevents MITM attackers from injecting forged certificates or stealing the session key, thereby securing the communication.

Conclusion – By first exposing the weaknesses of plain HTTP and then describing the evolution of security mechanisms up to HTTPS, the article provides a comprehensive understanding of why HTTPS is essential for safe web traffic.