Why HTTPS Matters: A Deep Dive into HTTP, Encryption, Cookies, and Sessions

HTTP and HTTPS Overview

HTTP (HyperText Transfer Protocol) is a stateless, plaintext protocol used for client‑server communication. Because it lacks encryption, HTTP traffic can be intercepted or altered by a man‑in‑the‑middle. HTTPS adds an SSL/TLS layer on top of HTTP, providing confidentiality, integrity, and server authentication.

Internet Message Flow

When a user enters a URL, the domain name is resolved to an IP address by DNS. The request is then forwarded through a series of routers (the "postal system" of the Internet). Each router forwards the packet based on the destination IP and updates the link‑layer MAC address for the next hop until the packet reaches the target server.

Common Service Ports

HTTP – 80

HTTPS – 443

FTP – 21

MySQL – 3306

SSH – 22

HTTP Protocol Details

HTTP follows a request‑response model. A request consists of a request line, headers, and an optional body. A response contains a status line, headers, and a body.

Example Request

GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate, br

The client asks for /index.html using the GET method and advertises supported encodings.

Example Response

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234

<html>...</html>

The server returns status 200, declares the payload type and length, and includes the HTML content.

Common Methods

GET – Retrieve a resource; parameters are placed in the URL; cache‑friendly.

POST – Submit data in the request body (e.g., form submission, file upload).

PUT – Replace an existing resource with the supplied representation.

DELETE – Remove a resource.

Status Codes

200 OK – Success.

400 Bad Request – Client syntax error.

404 Not Found – Resource does not exist.

405 Method Not Allowed – Method not supported by the target resource.

500 Internal Server Error – Server failure.

502 Bad Gateway – Invalid response from an upstream server.

HTTPS Encryption

HTTPS secures data using two complementary cryptographic techniques:

Symmetric encryption – Fast, uses a single shared secret key for both encryption and decryption.

Asymmetric encryption – Slower, uses a public‑key/private‑key pair for secure key exchange.

TLS Handshake Process

The client initiates a TLS handshake and receives the server’s digital certificate, which contains the server’s public key.

The client validates the certificate (trust chain, expiration, revocation).

The client generates a random session key, encrypts it with the server’s public key, and sends the ciphertext to the server.

The server decrypts the session key with its private key. Both sides now share a symmetric key for the remainder of the connection.

Digital Certificates

A digital certificate is an electronic identity card issued by a trusted Certificate Authority (CA). It binds a public key to a domain name and includes:

Holder information (organization, domain).

Public key.

CA information.

Validity period.

Digital signature that protects the certificate’s integrity.

Cookies and Sessions

Cookies

Cookies are small key‑value pairs stored in the browser to preserve state across HTTP’s stateless requests.

Stored client‑side; can be tampered if not protected (e.g., HttpOnly, Secure flags).

Can have an expiration time or be session‑only.

Sent with every request to the originating domain, adding bandwidth overhead.

Sessions

Sessions keep user data on the server. The server generates a unique session identifier, which the client typically stores in a cookie and returns on subsequent requests.

Stored server‑side, making it harder for a client to modify.

Relies on a cookie (or other transport) to convey the session ID.

Data is not directly exposed to the client.

Cookie vs. Session Comparison

Storage : Cookie – client; Session – server.

Security : Cookie – vulnerable to tampering; Session – more secure because data resides on the server.

Capacity : Cookie – typically ~4 KB per entry; Session – limited only by server resources.

Lifetime : Cookie – configurable expiration; Session – ends when the browser closes or the server invalidates it.

Data transmitted : Cookie – full content with each request; Session – only the session ID is transmitted.

HTTP vs. HTTPS Comparison

HTTP transmits data in clear text on port 80; HTTPS encrypts data on port 443 using SSL/TLS.

HTTPS provides server authentication via digital certificates, ensuring trust and data integrity.

HTTPS adds a modest performance cost due to encryption/decryption; HTTP is slightly faster.

Browsers indicate HTTPS with a lock icon and the https:// scheme, while HTTP shows http:// without a security indicator.