HTTP/HTTPS

---

HTTP and HTTPS: The Foundation of the Web

What is HTTP?

HTTP (Hypertext Transfer Protocol) is the fundamental protocol of the World Wide Web, created in 1989 by Tim Berners-Lee. Every time you visit a website, your browser is speaking HTTP with a web server.

Think of HTTP as the language your browser uses to:

• Request web pages from servers

• Send form data (like login credentials or search queries)

• Download images, videos, and other content

• Upload files

The Request-Response Model

HTTP works on a simple principle: request and response. You ask for something, the server sends it back.

---

HTTP Methods: Different Types of Requests

HTTP has several "verbs" that tell the server what you want to do:

GET - Retrieve data (like loading a web page)

GET /products/laptop HTTP/1.1
Host: shop.example.com

POST - Send data to the server (like submitting a form)

POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

username=john&password=secret123

PUT - Update existing data

DELETE - Remove data

HEAD - Get just the headers, not the content

OPTIONS - Ask what methods are allowed

---

HTTP Status Codes: The Server's Response

When the server responds, it includes a status code that tells you what happened:

2xx = Success

• 200 OK - Everything worked perfectly

• 201 Created - New resource was created

3xx = Redirection

• 301 Moved Permanently - Resource has a new address

• 304 Not Modified - Use your cached version

4xx = Client Error (you messed up)

• 400 Bad Request - Your request doesn't make sense

• 401 Unauthorized - You need to log in

• 403 Forbidden - You can't access this

• 404 Not Found - This page doesn't exist

• 429 Too Many Requests - Slow down!

5xx = Server Error (they messed up)

• 500 Internal Server Error - Something broke on the server

• 502 Bad Gateway - Problem with an intermediate server

• 503 Service Unavailable - Server is overloaded or down

---

The Critical Problem: HTTP is Insecure

Just like FTP, HTTP sends everything in plain text. This means:

• Your passwords are visible to anyone monitoring the network

• Your credit card numbers can be stolen

• Hackers can see what pages you visit

• Data can be modified in transit (man-in-the-middle attacks)

This is especially dangerous on:

• Public Wi-Fi networks (coffee shops, airports)

• Shared networks

• Any network you don't control

---

Enter HTTPS: HTTP Made Secure

HTTPS (HTTP Secure) is HTTP wrapped in encryption using TLS/SSL (Transport Layer Security / Secure Sockets Layer). It's the same protocol, just protected.

How HTTPS Works: The Handshake

When you connect to an HTTPS website, something special happens before any data is exchanged:

What HTTPS Actually Protects

Confidentiality - Data is encrypted, so eavesdroppers see gibberish

Integrity - Data can't be modified without detection

Authentication - You're talking to the real server, not an imposter

SSL Certificates: Trust But Verify

HTTPS relies on SSL/TLS certificates issued by trusted organizations called Certificate Authorities (CAs) like:

• Let's Encrypt (free)

• DigiCert

• GlobalSign

• Sectigo

When you visit https://example.com, your browser checks:

1. Is the certificate valid and not expired?

2. Was it issued by a trusted CA?

3. Does it match the domain you're visiting?

4. Has it been revoked?

If any check fails, you get a scary warning like "Your connection is not private."

---

Real-World HTTP vs HTTPS Examples

Example 1: Logging into a Website

HTTP (❌ Insecure):

POST http://oldsite.com/login HTTP/1.1

username=alice&password=myPassword123

Anyone on the network can steal your password

HTTPS (✅ Secure):

POST https://modernsite.com/login HTTP/1.1

[encrypted data that looks like: x7$k2@mZ#...]

Only you and the server can read the data

Example 2: Browsing a Website

HTTP:

GET http://news.com/article/12345

• Your ISP knows you're reading this specific article

• Government/employers can monitor your browsing

• Ads can track you across sites

HTTPS:

GET https://news.com/article/12345

• Your ISP only knows you visited news.com (not which article)

• Content is private

• More difficult to track

---

Where HTTP/HTTPS Is Used

HTTPS is Everywhere (and Should Be)

Currently using HTTPS:

• Banking websites (absolutely required)

• E-commerce sites (Amazon, eBay, etc.)

• Social media (Facebook, Twitter, Instagram)

• Email services (Gmail, Outlook)

• Search engines (Google, Bing)

• Streaming services (Netflix, YouTube)

• Nearly all modern websites

HTTP Still Exists But Is Dying

Remaining HTTP usage:

• Very old legacy systems

• Internal corporate networks (though this is risky)

• IoT devices with limited computing power

• Some local development environments

Why HTTP is being phased out:

• Chrome marks HTTP sites as "Not Secure"

• Google penalizes HTTP sites in search rankings

• Users don't trust HTTP sites

• Modern web features require HTTPS

• Free certificates from Let's Encrypt make HTTPS easy

---

Technical Differences Summary

Feature	HTTP	HTTPS
Port	80	443
Encryption	None	TLS/SSL
Security	Vulnerable	Protected
Speed	Slightly faster	Minimal overhead (1-2%)
Certificate	Not needed	Required
Browser indicator	"Not Secure" warning	🔒 Padlock icon
Data visibility	Plain text	Encrypted
Trust	None	Verified by CA

Modern Web Requirements

Many modern web features require HTTPS:

• Geolocation - Browsers won't share your location over HTTP

• Camera/Microphone access - Requires HTTPS

• Service Workers - For offline functionality, HTTPS only

• HTTP/2 - The faster protocol requires HTTPS

• Progressive Web Apps (PWAs) - Must use HTTPS

• Secure cookies - Can't be used over HTTP

• Payment APIs - Credit card processing requires HTTPS

---

Performance: HTTP/2 and HTTP/3

The protocol has evolved:

HTTP/1.1 (1997) - One request at a time per connection

HTTP/2 (2015) - Multiple simultaneous requests, header compression, requires HTTPS

HTTP/3 (2022) - Built on QUIC protocol, even faster, uses UDP instead of TCP

All modern browsers and servers support HTTP/2, and HTTP/3 is rapidly being adopted. These improvements make HTTPS even faster than old HTTP/1.1.

---

HTTP is the foundation of the web, but it's insecure by design. Think of it as sending postcards - anyone handling it can read the content.

HTTPS is HTTP with encryption. It's like sending locked boxes that only you and the recipient can open. This is now the standard for all websites.

Always check for the padlock 🔒 in your browser's address bar, especially before entering passwords, credit cards, or personal information.

---

TLS vs SSL: Quick Overview

SSL and TLS are essentially the same thing - protocols that encrypt internet traffic. TLS is simply the newer, more secure version of SSL.

The Evolution

SSL (Secure Sockets Layer)

• SSL 1.0 - Never released (too flawed)

• SSL 2.0 (1995) - Deprecated, insecure

• SSL 3.0 (1996) - Deprecated in 2015, has vulnerabilities

TLS (Transport Layer Security)

• TLS 1.0 (1999) - Upgraded SSL 3.0

• TLS 1.1 (2006) - Better security

• TLS 1.2 (2008) - Still widely used

• TLS 1.3 (2018) - Current standard, fastest and most secure

Key Difference

SSL is the old name, TLS is the new name. When people say "SSL certificate" or "SSL/TLS," they're almost always referring to TLS in practice.

It's like how people still say "dial a phone number" even though phones don't have dials anymore - SSL is the legacy term that stuck around.

What's Actually Used Today

• All modern websites use TLS 1.2 or TLS 1.3

• SSL 2.0 and SSL 3.0 are completely broken and disabled in browsers

• The term "SSL certificate" persists for historical reasons, but it's actually a TLS certificate

When you see "SSL/TLS" or hear someone say "SSL," they mean TLS - the modern, secure version. SSL itself is dead and has been for years. The name just refuses to die because it became so well-known.

---