Hypertext Transfer Protocol or HTTP is an application protocol that is the basis of data communication over the internet. But what does this actually mean and how does it relate to HTTPS? In this post, I’ll try and provide a fundamental understanding of what HTTP is, how it relates to HTTPS and what the implications of both are.
So, what does HTTP being an application protocol mean? First, we need to understand what is meant by “application” and “protocol”. When the internet was designed, it was made up of several layers ranging from the physical layer, which housed the hardware technology for the actual transmission of data, to the application layer which contains the various interfaces used by hosts within a network. HTTP and inherently HTTPS, both sit in the application layer. An internet protocol by definition, is a set of rules or requirements dictating the format of data transferred over the internet or a network. So, HTTP contains a set of rules for hypertext to be transferred over the internet. Hypertext, is text displayed on a computer that references other text that can be instantly accessed through hyperlinks.
Tim Berners-Lee at CERN, developed HTTP in 1989 to act as a request-response protocol between clients and servers. Now at this point, this seems like a lot of jargon, but bear with me. This concept is probably best explained by example. So, when you go into your browser and enter some address, say www.wikipedia.com, your browser, sends an HTTP request to the server that Wikipedia is located on. The server then receives this request, processes it, and then sends a response message back to your browser. This response will contain the status message of the request and sometimes the request content such as the HTML file which makes up the webpage you asked for. This request-response paradigm is used throughout websites that operate using the HTTP protocol.
The requests and responses in HTTP are sent in plaintext. Plaintext is raw information that is sent over any communication system and doesn’t need to be decrypted to be understood. Obviously, this raises major alarm bells when it comes to secure request-response interactions such as banking as it is vulnerable to man-in-the-middle attacks. This attack involves someone “tapping” into the connection between the client and the server and accessing the request-response interactions. Thus, HTTPS was developed as an extension of HTTP to allow for secure request-response interactions to take place.
HTTPS by definition, is secure HTTP. This protocol is seen as HTTP over TLS (Transport Layer Security) or HTTP over SSL (Secure Socket Layer). Both SSL and TSL are known as asynchronous encryption schemes which utilise a public-private key encryption technique. The public-private key encryption technique allows for data to be encrypted by a public key which is accessible to anyone, but can only be decrypted by a private key. For example, let’s say computer A wants computer B to send it some information. Computer A then says to computer B, send me this information but encrypt it using this encryption key (public key). Computer B then encrypts the information using the public key and sends it to computer A. Computer A can then decrypt the information using the private key and have their information. An example of this, is the RSA encryption method. What’s so beneficial about this is that anyone listening to the information transferred between computer A and computer B can receive the encrypted data and have the public key, but they are still unable to decrypt and thus, understand the information. So, how does this relate to HTTPS? When your browser requests an HTTPS connection to a website, the website will send it’s SSL certificate to your browser. Contained in this certificate is the public key required to setup a secure connection. Your browser will then inspect this certificate to ensure that the website is authentic and secure amongst other things. This is all part of the “SSL Handshake” procedure. If the handshake is successful, the established connection is secure. You’ll know the connected is secure if you see the padlock on the left side of your URL bar. There are obviously different levels of SSL certificates. For instance, banks have a higher SSL certificate requirement than your standard website.
So, what does any of this have to do with you and your website? An SSL certificate is obviously essential for websites which have e-commerce capabilities. However, there are additional benefits. Google includes a major security aspect in their search algorithm. This means that websites without an SSL certificate are likely to be thrown out of the Google search results. Therefore, besides making your website secure, by having an SSL certificate you can increase your online presence.
Do you have any questions or comments regarding encryption or HTTPS? Let me know in the comments below.