Understanding HTTP vs HTTPS: Protocol Basics, Security, and Session Management

HTTP and HTTPS Overview

HTTP (HyperText Transfer Protocol) is a stateless, unencrypted client‑server protocol, while HTTPS adds an SSL/TLS encryption layer that provides confidentiality, integrity, and server authentication.

Security : HTTP – no encryption, easy to attack; HTTPS – encrypted transmission, high security.

Port : HTTP defaults to 80, HTTPS defaults to 443.

Performance : HTTP is slightly faster because it lacks encryption overhead; HTTPS is marginally slower due to encryption/decryption.

Certificate : HTTP does not require a certificate; HTTPS requires an SSL/TLS certificate.

Browser indication : HTTP shows no security icon; HTTPS shows a lock icon.

How Internet Messages Are Delivered

When a user enters a URL, the browser first resolves the domain name to an IP address via DNS, then sends an HTTP request to that IP. The request traverses a series of routers (like postal offices) that forward the packet based on MAC addresses within the local network and IP addresses for wide‑area routing.

After the target server processes the request, it sends a response back along the same path, updating MAC addresses at each hop until the browser receives the content.

IP Address vs. MAC Address

IP address uniquely identifies a host on the internet and is used for routing across networks. MAC address is a hardware‑level identifier used only within a local network segment.

Port Numbers

Common service ports include 80 for HTTP, 443 for HTTPS, 21 for FTP, 3306 for MySQL, and 22 for SSH.

HTTP Request and Response Details

An HTTP request consists of a request line (method, target, version), request headers (e.g., Host, User‑Agent, Accept‑Encoding, Cookie), and an optional body for methods like POST.

GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate, br

The server replies with a status line, response headers (e.g., Content‑Type, Content‑Length, Set‑Cookie), and a response body.

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234

<html>...</html>

Common status codes are 200 (OK), 400 (Bad Request), 404 (Not Found), 405 (Method Not Allowed), 500 (Internal Server Error), and 502 (Bad Gateway).

HTTPS Encryption Process

HTTPS uses two encryption methods: symmetric encryption for fast data transfer and asymmetric encryption for secure key exchange. During the handshake, the server presents a digital certificate containing its public key; the client validates the certificate and uses the public key to encrypt a session key, which the server decrypts with its private key. Subsequent data exchange uses the symmetric session key.

Digital Certificates

A digital certificate (issued by a trusted Certificate Authority) includes the holder’s identity, public key, CA information, validity period, and a digital signature. Browsers verify the certificate chain to ensure the server’s authenticity.

Cookies vs. Sessions

Cookie : Small file stored in the client’s browser, sent with every request, limited to ~4 KB, can be tampered or stolen, used for preferences and login state.

Session : Server‑side storage identified by a session ID (often kept in a cookie), more secure, can hold larger data, persists only for the duration of the user’s interaction.

Storage location : Cookie – client; Session – server.

Security : Cookie – vulnerable to tampering; Session – safer, only ID exposed.

Performance : Cookie data travels on each request, adding overhead; Session transmits only the ID.

Cross‑domain : Cookies are domain‑scoped; Sessions require explicit handling for cross‑domain scenarios.

Summary

HTTP provides the basic request‑response mechanism, while HTTPS secures it with encryption and certificates. Understanding DNS resolution, IP/MAC routing, ports, and the differences between client‑side cookies and server‑side sessions is essential for building reliable and secure web applications.