Why HTTP Is Dangerous and How HTTPS Protects You from Man-in-the-Middle Attacks

1. HTTP Protocol

Before discussing HTTPS, the article reviews the basics of HTTP, a text‑based application‑layer protocol used for client‑server request/response communication.

Typical HTTP request and response messages are shown:

POST http://www.baidu.com HTTP/1.1
Host: www.baidu.com
Connection: keep-alive
Content-Length: 7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

wd=HTTP

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Type: text/html;charset=utf-8
Date: Thu, 14 Feb 2019 07:23:49 GMT
Transfer-Encoding: chunked

<html>...</html>

1.2 Man‑in‑the‑Middle (MITM) Attack on HTTP

Because HTTP transmits data in clear text, an attacker can read and modify the traffic. The article illustrates this with a story: a user posts "I love Java" on a forum, the attacker intercepts the request and changes it to "I love PHP", demonstrating how the content can be altered without detection.

1.3 Why Simple Symmetric Encryption Is Not Enough

One might think of encrypting the HTTP payload with a symmetric algorithm such as AES. The article shows a diagram of both parties agreeing on an encryption method and then applying AES to the message.

Even with AES, the key exchange itself is exposed in clear text, allowing an attacker who intercepts the first handshake to obtain the symmetric key and decrypt all subsequent traffic.

To solve this, the article introduces asymmetric encryption (RSA). The server generates a public/private key pair, sends the public key to the client, the client creates a random AES key (AES_KEY), encrypts it with the server’s public key (producing AES_KEY_SECRET), and sends it back. The server decrypts with its private key, establishing a shared secret for AES encryption.

However, a sophisticated MITM can generate its own key pair, pose as the server, capture the client’s encrypted AES key, and thus still decrypt the traffic.

2. HTTPS Protocol

2.1 What Is HTTPS?

HTTPS is essentially HTTP over SSL/TLS. Although SSL has been largely replaced by TLS, the term SSL is still commonly used.

SSL/TLS provides a handshake that exchanges keys asymmetrically and then secures the data channel with symmetric encryption.

2.2 Certificate Authority (CA) Trust Model

During the TLS handshake, the server presents an X.509 certificate containing its public key. The client validates this certificate by checking the chain of trust up to a root CA certificate that is pre‑installed in the operating system.

Certificates are issued by trusted CAs (e.g., GlobalSign). The server sends its certificate, the CA signs it with its private key, and the signature can be verified with the CA’s public key.

When a client receives the server’s certificate, it:

Finds the issuing CA’s certificate in the chain.

Uses the CA’s public key to decrypt the certificate’s signature (sign1).

Computes its own hash of the certificate (sign2).

Compares sign1 and sign2; if they match, the certificate is authentic and untampered.

Conclusion

The article first demonstrates why HTTP is insecure due to clear‑text transmission and easy MITM exploitation, then walks through the evolution of security mechanisms—symmetric encryption, asymmetric key exchange, and finally the full HTTPS stack with TLS handshakes and CA‑based certificate validation—providing readers with a deeper understanding of how HTTPS protects web communication.