BestHub
Sign in
Fundamentals 20 min read

Understanding HTTP vs HTTPS: From Basics to Secure Web Communication

This article explains the fundamentals of HTTP and HTTPS, compares their features, details how internet messages travel through DNS, routers, IP and MAC addresses, describes request and response structures, ports, encryption methods, cookies versus sessions, and provides a comprehensive summary of their differences.

Raymond Ops
Raymond Ops
Raymond Ops
Understanding HTTP vs HTTPS: From Basics to Secure Web Communication

1. Introduction to HTTP and HTTPS

HTTP (HyperText Transfer Protocol) is a stateless communication protocol used between clients (e.g., browsers) and servers to transfer hypertext such as HTML pages. It transmits data without encryption, making it vulnerable to man‑in‑the‑middle attacks. Because it is stateless, the server cannot associate a new request with previous ones.

HTTPS (HyperText Transfer Protocol Secure) adds an encryption layer based on SSL/TLS to HTTP, providing confidentiality and integrity for data in transit.

图片
图片

2. How Internet Messages Are Transmitted

In the Internet, message delivery resembles a complex postal process. A request passes through a series of routers (like post offices) before reaching the destination server. DNS translates human‑readable domain names into IP addresses, similar to looking up a friend's address in a phone book.

When a browser requests a website (e.g., www.example.com), it first resolves the domain to an IP address via DNS, then sends an HTTP request containing headers such as the request line, host, user‑agent, and optionally a request body.

Routers forward the packet toward the target server, updating the MAC address at each hop. MAC addresses uniquely identify network interfaces on the local network, while IP addresses are used for routing across the Internet.

图片
图片
图片
图片

When the packet reaches the target server, the server processes the request and generates a response, which travels back along the same path, with MAC addresses updated at each hop, until it reaches the browser.

3. Port Numbers

Service Type

Default Port

HTTP

80

HTTPS

443

FTP

21

MySQL

3306

SSH

22

4. HTTP Protocol

HTTP (Hypertext Transfer Protocol) is a stateless request‑response protocol that underlies web communication. It transfers HTML, images, JSON, and other resources between client and server.

1. What Is Hypertext?

Hypertext refers to web content typically formatted as HTML (Hypertext Markup Language), which describes the structure of a webpage.

2. HTTP Request and Response

1. HTTP Request

A client (usually a browser) initiates a request. Each request consists of three main parts:

Request line (method, target, HTTP version)

Request headers (e.g., Host, User-Agent, Accept‑Encoding, Cookie)

Optional request body (used with POST, PUT, etc.)

GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate, br

This example requests the page /index.html using HTTP/1.1.

2. HTTP Response

After processing the request, the server returns a response composed of:

Status line (HTTP version, status code, reason phrase)

Response headers (e.g., Content-Type, Content-Length, Set-Cookie)

Response body (HTML, JSON, image, etc.)

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234

<html>
<body>
<h1>Welcome to Example!</h1>
</body>
</html>

Common status codes include 200 OK, 400 Bad Request, 404 Not Found, 405 Method Not Allowed, 500 Internal Server Error, and 502 Bad Gateway.

5. HTTPS

HTTPS solves HTTP’s security shortcomings by adding an encryption layer using SSL/TLS. It ensures confidentiality, integrity, and server authentication.

1. Encryption Methods

1. Symmetric Encryption

A single secret key is used for both encryption and decryption. It is fast but requires secure key exchange.

2. Asymmetric Encryption

A public key encrypts data, and a private key decrypts it (or vice‑versa). It is slower but provides stronger security for key exchange.

2. HTTPS Handshake Process

1. Handshake Phase

The client contacts the server, which returns a digital certificate containing its public key and identity information. The client validates the certificate to confirm the server’s authenticity.

2. Key Exchange

The client encrypts a randomly generated session key with the server’s public key and sends it to the server. The server decrypts the session key with its private key, establishing a shared symmetric key for subsequent data encryption.

3. Data Transmission Phase

All further communication uses the shared symmetric key, providing fast encryption and decryption.

图片
图片

3. Digital Certificates

Certificates act as a website’s identity card, issued by a trusted Certificate Authority (CA). They contain the holder’s information, public key, CA details, validity period, and a digital signature to prevent tampering.

6. Cookie and Session

1. Cookie

Cookies are small files stored in the client’s browser to preserve state information because HTTP is stateless.

Stored on the client; can be altered or stolen.

Can have an expiration time.

Sent with every request, potentially affecting performance.

2. Session

Sessions store user data on the server. The server assigns a unique session ID, which the client typically keeps in a cookie.

Stored on the server; more secure.

Relies on a client‑side cookie to transmit the session ID.

Not exposed to the client, reducing tampering risk.

3. Cookie vs Session Comparison

Feature

Cookie

Session

Storage Location

Client browser

Server

Security

Relatively insecure, easy to tamper

More secure, only session ID on client

Capacity

Typically 4 KB per cookie

Limited by server resources, generally larger

Lifetime

Can set expiration; auto‑deletes after

Ends when session ends or browser closes

Stored Content

Small data (preferences, login flag)

Important data (user identity, cart)

Data Transfer

Sent with every request, adds overhead

Only session ID sent, lighter payload

Cross‑Domain

Not shared across domains

Requires special handling for cross‑domain

7. Summary of HTTP and HTTPS

Feature

HTTP

HTTPS

Full Name

Hypertext Transfer Protocol

Hypertext Transfer Protocol Secure

Protocol Type

Unencrypted

Encrypted

Security

Unsecure, data in plain text

Secure, data encrypted

Encryption Method

None

SSL/TLS encryption

Port

80

443

Identity Verification

None

Digital certificate verification

Data Integrity

Easy to tamper

Protected by encryption

Performance

Higher (no encryption overhead)

Slightly lower due to encryption, but negligible

Data Transfer Mode

Plain text

Encrypted transmission

Typical Use Cases

Public, non‑sensitive content

Sensitive data such as login or payment information

Browser Display

URL starts with http://

URL starts with https:// and shows a lock icon

Digital Certificate

Not required

Required, issued by a trusted CA

Trustworthiness

Vulnerable to phishing

Provides trusted identity verification

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

HTTPNetworkingWeb SecurityHTTPScookiesSessions
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment