Why HTTP Is Insecure and How HTTPS Secures Your Web Traffic

HTTP and HTTPS Overview

HTTP (HyperText Transfer Protocol) is a stateless communication protocol used between clients (e.g., browsers) and servers to transfer hypertext such as HTML pages. It transmits data in plain text, making it vulnerable to man‑in‑the‑middle attacks. HTTPS adds an encryption layer using SSL/TLS, providing secure data transmission.

How Internet Messages Are Transmitted

Message delivery on the Internet resembles a postal process: a request passes through a series of routers (like post offices) before reaching the target server.

1. Accessing a Website

When you type a domain such as www.example.com, the DNS system translates the human‑readable name into an IP address, similar to looking up a friend's address in a phone book.

2. Browser Sends Request

The browser creates an HTTP request containing the target path, browser type, language, etc., analogous to handing a package to the post office.

3. DNS Resolution

DNS converts the domain name into an IP address that routers can use for routing.

4. Router Role

After obtaining the correct IP, routers forward the packet step by step toward the destination server, using MAC addresses for local identification.

5. Server Responds

The server processes the request and returns the appropriate resource (HTML page, image, file, etc.).

6. Response Travels Back

The response follows the reverse path to the browser, with MAC addresses updated along the way.

Port Numbers

Common services use default ports: HTTP 80, HTTPS 443, FTP 21, MySQL 3306, SSH 22.

HTTP Protocol

HTTP is a stateless request‑response protocol that underpins web browsing, transferring HTML, images, JSON, and other resources.

1. What Is Hypertext

Hypertext refers to content displayed on web pages, typically written in HTML.

2. HTTP Request and Response

HTTP Request

An HTTP request consists of three parts:

Request Components

1. Request line (method, target, HTTP version)

2. Request headers (e.g., Accept‑Encoding, Host, User‑Agent, Cookie)

3. Optional request body (used with POST or PUT)

GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate, br

Request Methods

GET retrieves resources; POST submits data; PUT updates resources; DELETE removes resources.

HTTP Response

The server returns a response composed of a status line, headers, and an optional body.

Response Components

1. Status line (HTTP version, status code, description)

2. Response headers (e.g., Content‑Type, Content‑Length, Set‑Cookie)

3. Response body (HTML, JSON, image, etc.)

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234

<html>
  <body>
    <h1>Welcome to Example!</h1>
  </body>
</html>

Response Status Codes

200 OK (success), 400 Bad Request (syntax error), 404 Not Found (resource missing), 405 Method Not Allowed, 500 Internal Server Error, 502 Bad Gateway.

HTTPS

HTTPS adds an encryption layer to HTTP using SSL/TLS, ensuring confidentiality, integrity, and server authentication.

HTTPS Encryption Methods

Symmetric Encryption

Uses a single secret key for both encryption and decryption; fast but key distribution is a risk.

Asymmetric Encryption

Uses a public‑private key pair; slower but provides secure key exchange.

HTTPS Encryption Process

Handshake Phase

The client initiates a handshake; the server returns a digital certificate containing its public key.

Key Exchange

The client encrypts a session key with the server’s public key and sends it; the server decrypts it with its private key, establishing a shared symmetric key.

Data Encryption Phase

Subsequent data is encrypted with the shared symmetric key for efficient transmission.

Digital Certificates

Certificates act as a website’s identity card, issued by a Certificate Authority (CA) and containing the server’s public key and identity information.

Certificate Components

Holder information (company name, domain)

Public key

CA information

Validity period

Digital signature

The browser validates the certificate against trusted CAs before establishing a secure connection.

Cookie and Session

Cookie

Cookies are small files stored in the client browser to preserve user state because HTTP is stateless.

Cookie Characteristics

Stored on client, vulnerable to tampering

Can set expiration time

Sent with every request, affecting performance

Session

Sessions store user data on the server; the client holds only a session ID, usually in a cookie.

Session Characteristics

Stored on server, more secure

Relies on client cookie for the session ID

Not exposed to client, preventing tampering

Cookie vs Session Comparison

Cookies reside on the client, have size limits (≈4 KB each) and are sent with each request, while sessions reside on the server, can store larger data, and only the session ID travels over the network, offering better security and performance.

Summary of HTTP and HTTPS

HTTP is an unencrypted, stateless protocol using port 80, offering fast performance but no security or identity verification. HTTPS adds SSL/TLS encryption, uses port 443, provides confidentiality, integrity, and server authentication via digital certificates, at the cost of a modest performance overhead.