BestHub
Sign in
Information Security 9 min read

Understanding HTTP, HTTPS, and How They Prevent Man‑in‑the‑Middle Attacks

This article explains the fundamentals of the HTTP protocol, demonstrates how its plaintext transmission enables man‑in‑the‑middle attacks, and then details how HTTPS (TLS/SSL) with certificate authority verification and asymmetric key exchange secures web communication against such threats.

Top Architect
Top Architect
Top Architect
Understanding HTTP, HTTPS, and How They Prevent Man‑in‑the‑Middle Attacks

1. HTTP Protocol

HTTP is a text‑based application‑layer protocol defined by a set of RFCs; it works via request‑response messages between client and server.

Example request:

POST http://www.baidu.com HTTP/1.1
Host: www.baidu.com
Connection: keep-alive
Content-Length: 7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Example response:

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Type: text/html;charset=utf-8
Date: Thu, 14 Feb 2019 07:23:49 GMT
Transfer-Encoding: chunked
...

1.2 HTTP Man‑in‑the‑Middle Attack

Because HTTP transmits data in clear text, an attacker can read and modify both requests and responses, as illustrated by a scenario where a posted message is altered from "I love JAVA" to "I love PHP".

1.3 Preventing MITM with Encryption

Encrypting the payload with a symmetric algorithm such as AES hides the content, but the key exchange remains vulnerable; using RSA for asymmetric key exchange allows the client to encrypt the AES key with the server’s public key, preventing the attacker from obtaining the symmetric key.

RSA key‑exchange diagram:

2. HTTPS Protocol

2.1 HTTPS Overview

HTTPS combines SSL/TLS with HTTP; the TLS handshake exchanges keys and then secures the communication with symmetric encryption.

Handshake illustration:

2.2 CA Certification System

Certificates are issued by trusted Certificate Authorities (CAs); browsers contain built‑in root CA certificates and verify a server’s certificate by building a chain of trust up to a root.

Certificate chain illustration:

Verification process: the browser uses the CA’s public key to decrypt the certificate’s signature and compares the resulting hash with a locally computed hash of the certificate; a match confirms integrity and authenticity.

Summary

HTTP is insecure because it transmits data in clear text, making it vulnerable to man‑in‑the‑middle attacks; HTTPS mitigates these risks by employing TLS handshakes, asymmetric key exchange, and CA‑based certificate validation to provide encrypted, authenticated communication.

HTTPEncryptioninformation securityTLSHTTPSCertificate AuthorityMan-in-the-Middle
Top Architect
Written by

Top Architect

Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment