Why HTTP Is Unsafe and How HTTPS Secures Your Data

HTTP Protocol

HTTP is a text‑based application‑layer protocol used for client‑server communication. It transmits requests and responses in clear text, which makes it vulnerable to eavesdropping and tampering.

HTTP Request and Response Example

POST http://www.baidu.com HTTP/1.1
Host: www.baidu.com
Connection: keep-alive
Content-Length: 7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

wd=HTTP

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Type: text/html;charset=utf-8
Date: Thu, 14 Feb 2019 07:23:49 GMT
Transfer-Encoding: chunked

<html>...</html>

Man‑in‑the‑Middle Attack on HTTP

Because HTTP traffic is unencrypted, an attacker positioned between client and server can read and modify the data. The example shows a user posting "I love JAVA" on a forum, which an attacker changes to "I love PHP", demonstrating how easy it is to alter content.

Why Simple Symmetric Encryption Is Not Sufficient

Even if the payload is encrypted with a symmetric algorithm such as AES, the key exchange itself is still exposed in clear text. An attacker who intercepts the initial handshake can obtain the symmetric key and decrypt subsequent traffic.

Asymmetric Encryption with RSA

To protect the key exchange, RSA is used. The server generates a public‑private key pair and sends the public key to the client. The client creates a random AES key, encrypts it with the server’s public key, and sends the ciphertext back. The server decrypts it with its private key, establishing a shared secret for symmetric encryption.

Advanced Man‑in‑the‑Middle Attack

An attacker can act as a proxy, generating its own key pair and presenting a forged certificate to the client. By doing so, the attacker obtains the client‑generated AES key, allowing full decryption of the traffic.

HTTPS Protocol

HTTPS is HTTP over SSL/TLS (TLS is the modern name for SSL). It adds encryption, integrity, and authentication to HTTP traffic.

SSL/TLS Handshake Overview

The handshake establishes a secure channel by exchanging certificates, verifying them, and deriving shared symmetric keys for the session.

Certificate Authority (CA) System

Certificates are issued by trusted CAs whose root certificates are pre‑installed in operating systems and browsers. A server’s certificate is signed by a CA, forming a chain of trust up to a root CA.

Server Certificate Verification

The client validates the server’s certificate by checking the signature with the issuer’s public key, then recomputing the signature over the certificate’s contents. If the signatures match, the certificate is trusted and the public key can be used for the key exchange.

Conclusion

HTTP is insecure because it transmits data in clear text, making it vulnerable to man‑in‑the‑middle attacks. HTTPS mitigates these risks through TLS handshakes, asymmetric key exchange, and a robust CA trust model, ensuring confidentiality, integrity, and authenticity of web communications.