Thursday, 25 July 2013

Differentiate between HTTP and HTTPS

What is HTTP? 
HTTP, the Hypertext Transfer Protocol, is the application-level protocol that is used to transfer data on the Web. HTTP comprises the rules by which Web browsers and servers exchange information. Although most people think of HTTP only in the context of the World-Wide Web, it can be, and is, used for other purposes, such as distributed object management systems. 

What is HTTPS?
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol developed by Netscape.

One can say: HTTPS = HTTP + SSL

HTTPS uses Secure Socket Layer (SSL) as a sublayer under its regular HTTP application layering.


How Does HTTP Work? 

HTTP Is a request-response protocol. For example, a Web browser initiates a 
request to a server, typically by opening a TCP/IP connection. The request itself 
comprises 
-a request line, a set of request headers, and an entity. 
The server sends a response that comprises 
-a status line, a set of response headers, and an entity. 
The entity in the request or response can be thought of simply as the payload, 
which may be binary data. The other items are readable ASCII characters. When the 
response has been completed, either the browser or the server may terminate the 
TCP/IP connection, or the browser can send another request. 

How Does HTTPS Work?

For HTTPS connection, public key and signed certificates are required for the server.
When using an https connection, the server responds to the initial connection by offering a list of encryption methods it supports. In response, the client selects a connection method, and the client and server exchange certificates to authenticate their identities. After this is done, both parties exchange the encrypted information after ensuring that both are using the same key, and the connection is closed. In order to host https connections, a server must have a public key certificate, which embeds key information with a verification of the key owner's identity. Most certificates are verified by a third party so that clients are assured that the key is secure.
In other words, we can say, HTTPS works similar to HTTP but SSL adds some spice in it.

HTTP includes the following actions:

1. The browser opens a TCP connection. 
2. The browser sends a HTTP request to the server 
3. The server sends a HTTP response to the browser. 4. The TCP connection is closed.

SSL will include the following actions:

1. Authenticate the server to the client. 
2. Allow the client and server to select the cryptographic algorithms, or ciphers, that they both support.
3. Optionally authenticate the client to the server. 
4. Use public-key encryption techniques to generate shared secrets. 
5. Establish an encrypted SSL connection.
6. Once the SSL connection is established the usual transfer of HTTP requests will continue.

Where should https be used?

HTTPS should be used in Banking Websites, Payment Gateway, Shopping Websites, Login Pages, Emails (Gmail offers HTTPS by default in Chrome browser) and Corporate Sector Websites. For example:

PayPal: https://www.paypal.com
Google AdSense: https://www.google.com/adsense/

Beware of using Credit Card Numbers on Internet:  If a website ever asks you to enter your credit card information, you should automatically look to see if the web address begins with https://. If it doesn't, there's no way you're going to enter sensitive information like a credit card number!

Browser integration

Most browsers display a warning if they receive an invalid certificate. Older browsers, when connecting to a site with an invalid certificate, would present the user with a dialog box asking if they wanted to continue. Newer browsers display a warning across the entire window. Newer browsers also prominently display the site's security information in the address bar. Extended validation certificates turn the address bar green in newer browsers. Most browsers also display a warning to the user when visiting a site that contains a mixture of encrypted and unencrypted content.

Basic Difference
http protocol
1. The url starts with http:// and its communication port is 80.
2. Normal transmission of information between the web server and the client browser.
3. A protocol for data viewing between the networks.
4. A non-secured protocol
5. Information related websites uses this protocol.
6. SSL certificate not required

https protocol
1. The url starts with https:// and its default port is 443.
2. Encrypts the information to be transmitted between the client browser and the web server and vice versa.
3. A grouping of two protocols namely HTTP and SSL/ TLS protocol.
4. An http protocol but with security.
5. Banking websites, Online shopping websites with payment gateway, emails, and social networking sites uses this protocol.
6. SSL certificate essential in case of online shopping

Post a Comment