Why HTTP Is Insecure and How HTTPS Protects Against Man-in-the-Middle Attacks

1. HTTP Protocol

Before discussing HTTPS, we review the concept of HTTP.

1.1 Introduction to HTTP

HTTP is a text‑based transport protocol that operates at the Application layer.

HTTP works via client‑server request‑response. The original RFC 2616 has been split into six specifications (RFC 7230‑7235). A typical request looks like:

POST http://www.baidu.com HTTP/1.1
Host: www.baidu.com
Connection: keep-alive
Content-Length: 7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

wd=HTTP

A typical response looks like:

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Type: text/html;charset=utf-8
Date: Thu, 14 Feb 2019 07:23:49 GMT
Transfer-Encoding: chunked

<html>...</html>

1.2 Man‑in‑the‑Middle Attack on HTTP

HTTP transmits messages in clear text, making it vulnerable to interception and modification. For example, a user posts “I love JAVA” and an attacker changes it to “I love PHP”.

Original post: I love JAVA Modified by attacker: I love PHP Result: the user is mocked.

Because all request and response contents are visible, HTTP is considered insecure.

1.3 Preventing MITM Attacks

One might try symmetric encryption (AES) to protect the payload, but the encryption method and key are still exposed in clear text, allowing an attacker who intercepts the first exchange to obtain the key.

Using asymmetric encryption (RSA) solves this: the server generates a public‑private key pair, sends the public key to the client, which encrypts a randomly generated AES key ( AES_KEY) with the public key (producing AES_KEY_SECRET). The server decrypts AES_KEY_SECRET with its private key to obtain the AES key, and thereafter all communication is encrypted with AES.

However, a sophisticated attacker can act as a man‑in‑the‑middle, generate its own key pair, and present a forged public key to the client, thereby capturing the AES key and decrypting the traffic.

2. HTTPS Protocol

2.1 Introduction to HTTPS

HTTPS is essentially SSL+HTTP (now TLS). SSL/TLS operates at the application layer and can secure other protocols such as FTP and WebSocket.

SSL/TLS uses asymmetric encryption during the handshake to exchange keys, then symmetric encryption (AES) for data transfer.

2.2 CA Certification System

Clients verify server certificates using a chain of trust anchored by root CA certificates pre‑installed in the operating system.

The server obtains a certificate signed by a trusted CA. The CA signs the certificate with its private key, creating a signature (certificate fingerprint). The client validates the signature using the CA’s public key, ensuring the certificate has not been tampered with.

This RSA‑based verification prevents attackers from forging certificates and thus from obtaining the AES key used in HTTPS communication.

Summary

By first understanding why HTTP is insecure due to MITM attacks, and then exploring the evolution of security mechanisms culminating in HTTPS, readers gain a deeper comprehension of how HTTPS protects data integrity and confidentiality.