# HTTP/HTTPS

***

### HTTP and HTTPS: The Foundation of the Web

#### What is HTTP?

**HTTP (Hypertext Transfer Protocol)** is the fundamental protocol of the World Wide Web, created in 1989 by Tim Berners-Lee. Every time you visit a website, your browser is speaking HTTP with a web server.

Think of HTTP as the language your browser uses to:

* Request web pages from servers
* Send form data (like login credentials or search queries)
* Download images, videos, and other content
* Upload files

**The Request-Response Model**

HTTP works on a simple principle: **request and response**. You ask for something, the server sends it back.

<figure><img src="https://2332658533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FG5fhKjYnbaQlTPTcaO85%2Fuploads%2FHhGfAbLV4N5g4dHtPHju%2Fhttp-request-response.svg?alt=media&#x26;token=5da31265-9929-421c-a54f-6f25f3f601cf" alt=""><figcaption></figcaption></figure>

***

#### HTTP Methods: Different Types of Requests

HTTP has several "verbs" that tell the server what you want to do:

**GET** - Retrieve data (like loading a web page)

```
GET /products/laptop HTTP/1.1
Host: shop.example.com
```

**POST** - Send data to the server (like submitting a form)

```
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

username=john&password=secret123
```

**PUT** - Update existing data

**DELETE** - Remove data

**HEAD** - Get just the headers, not the content

**OPTIONS** - Ask what methods are allowed

***

#### HTTP Status Codes: The Server's Response

When the server responds, it includes a status code that tells you what happened:

**2xx = Success**

* 200 OK - Everything worked perfectly
* 201 Created - New resource was created

**3xx = Redirection**

* 301 Moved Permanently - Resource has a new address
* 304 Not Modified - Use your cached version

**4xx = Client Error (you messed up)**

* 400 Bad Request - Your request doesn't make sense
* 401 Unauthorized - You need to log in
* 403 Forbidden - You can't access this
* 404 Not Found - This page doesn't exist
* 429 Too Many Requests - Slow down!

**5xx = Server Error (they messed up)**

* 500 Internal Server Error - Something broke on the server
* 502 Bad Gateway - Problem with an intermediate server
* 503 Service Unavailable - Server is overloaded or down

***

#### **The Critical Problem: HTTP is Insecure**

Just like FTP, HTTP sends everything in **plain text**. This means:

* Your passwords are visible to anyone monitoring the network
* Your credit card numbers can be stolen
* Hackers can see what pages you visit
* Data can be modified in transit (man-in-the-middle attacks)

This is especially dangerous on:

* Public Wi-Fi networks (coffee shops, airports)
* Shared networks
* Any network you don't control

***

### Enter HTTPS: HTTP Made Secure

<figure><img src="https://2332658533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FG5fhKjYnbaQlTPTcaO85%2Fuploads%2FHG5nvs5zXHYEU1Hwt2WL%2Fhttp-vs-https-security.svg?alt=media&#x26;token=f5a2eb7a-e5fa-428c-9906-f97295635d06" alt=""><figcaption></figcaption></figure>

**HTTPS (HTTP Secure)** is HTTP wrapped in encryption using **TLS/SSL** (Transport Layer Security / Secure Sockets Layer). It's the same protocol, just protected.

#### How HTTPS Works: The Handshake

When you connect to an HTTPS website, something special happens before any data is exchanged:

<figure><img src="https://2332658533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FG5fhKjYnbaQlTPTcaO85%2Fuploads%2FjVRfQjiBxYD27M5i0O11%2Fhttps-handshake.svg?alt=media&#x26;token=80a300b3-5492-44e0-92cb-f01ff02ac843" alt=""><figcaption></figcaption></figure>

**What HTTPS Actually Protects**

**Confidentiality** - Data is encrypted, so eavesdroppers see gibberish

**Integrity** - Data can't be modified without detection

**Authentication** - You're talking to the real server, not an imposter

**SSL Certificates: Trust But Verify**

HTTPS relies on **SSL/TLS certificates** issued by trusted organizations called Certificate Authorities (CAs) like:

* Let's Encrypt (free)
* DigiCert
* GlobalSign
* Sectigo

When you visit `https://example.com`, your browser checks:

1. Is the certificate valid and not expired?
2. Was it issued by a trusted CA?
3. Does it match the domain you're visiting?
4. Has it been revoked?

If any check fails, you get a scary warning like "Your connection is not private."

***

#### Real-World HTTP vs HTTPS Examples

**Example 1: Logging into a Website**

**HTTP** (❌ Insecure):

```
POST http://oldsite.com/login HTTP/1.1

username=alice&password=myPassword123
```

*Anyone on the network can steal your password*

**HTTPS** (✅ Secure):

```
POST https://modernsite.com/login HTTP/1.1

[encrypted data that looks like: x7$k2@mZ#...]
```

*Only you and the server can read the data*

**Example 2: Browsing a Website**

**HTTP:**

```
GET http://news.com/article/12345
```

* Your ISP knows you're reading this specific article
* Government/employers can monitor your browsing
* Ads can track you across sites

**HTTPS:**

```
GET https://news.com/article/12345
```

* Your ISP only knows you visited news.com (not which article)
* Content is private
* More difficult to track

***

#### Where HTTP/HTTPS Is Used

**HTTPS is Everywhere (and Should Be)**

**Currently using HTTPS:**

* Banking websites (absolutely required)
* E-commerce sites (Amazon, eBay, etc.)
* Social media (Facebook, Twitter, Instagram)
* Email services (Gmail, Outlook)
* Search engines (Google, Bing)
* Streaming services (Netflix, YouTube)
* Nearly all modern websites

**HTTP Still Exists But Is Dying**

**Remaining HTTP usage:**

* Very old legacy systems
* Internal corporate networks (though this is risky)
* IoT devices with limited computing power
* Some local development environments

**Why HTTP is being phased out:**

* Chrome marks HTTP sites as "Not Secure"
* Google penalizes HTTP sites in search rankings
* Users don't trust HTTP sites
* Modern web features require HTTPS
* Free certificates from Let's Encrypt make HTTPS easy

***

#### **Technical Differences Summary**

| Feature               | HTTP                 | HTTPS                   |
| --------------------- | -------------------- | ----------------------- |
| **Port**              | 80                   | 443                     |
| **Encryption**        | None                 | TLS/SSL                 |
| **Security**          | Vulnerable           | Protected               |
| **Speed**             | Slightly faster      | Minimal overhead (1-2%) |
| **Certificate**       | Not needed           | Required                |
| **Browser indicator** | "Not Secure" warning | 🔒 Padlock icon         |
| **Data visibility**   | Plain text           | Encrypted               |
| **Trust**             | None                 | Verified by CA          |

**Modern Web Requirements**

Many modern web features **require HTTPS**:

* **Geolocation** - Browsers won't share your location over HTTP
* **Camera/Microphone access** - Requires HTTPS
* **Service Workers** - For offline functionality, HTTPS only
* **HTTP/2** - The faster protocol requires HTTPS
* **Progressive Web Apps (PWAs)** - Must use HTTPS
* **Secure cookies** - Can't be used over HTTP
* **Payment APIs** - Credit card processing requires HTTPS

***

**Performance: HTTP/2 and HTTP/3**

The protocol has evolved:

**HTTP/1.1** (1997) - One request at a time per connection

**HTTP/2** (2015) - Multiple simultaneous requests, header compression, requires HTTPS

**HTTP/3** (2022) - Built on QUIC protocol, even faster, uses UDP instead of TCP

All modern browsers and servers support HTTP/2, and HTTP/3 is rapidly being adopted. These improvements make HTTPS even faster than old HTTP/1.1.

***

**HTTP** is the foundation of the web, but it's insecure by design. Think of it as sending postcards - anyone handling it can read the content.

**HTTPS** is HTTP with encryption. It's like sending locked boxes that only you and the recipient can open. This is now the **standard** for all websites.

**Always check for the padlock** 🔒 in your browser's address bar, especially before entering passwords, credit cards, or personal information.

***

### TLS vs SSL: Quick Overview

**SSL and TLS are essentially the same thing** - protocols that encrypt internet traffic. TLS is simply the newer, more secure version of SSL.

**The Evolution**

**SSL (Secure Sockets Layer)**

* SSL 1.0 - Never released (too flawed)
* SSL 2.0 (1995) - Deprecated, insecure
* SSL 3.0 (1996) - Deprecated in 2015, has vulnerabilities

**TLS (Transport Layer Security)**

* TLS 1.0 (1999) - Upgraded SSL 3.0
* TLS 1.1 (2006) - Better security
* TLS 1.2 (2008) - Still widely used
* TLS 1.3 (2018) - Current standard, fastest and most secure

**Key Difference**

**SSL is the old name, TLS is the new name.** When people say "SSL certificate" or "SSL/TLS," they're almost always referring to TLS in practice.

It's like how people still say "dial a phone number" even though phones don't have dials anymore - SSL is the legacy term that stuck around.

**What's Actually Used Today**

* **All modern websites use TLS 1.2 or TLS 1.3**
* **SSL 2.0 and SSL 3.0 are completely broken** and disabled in browsers
* The term "SSL certificate" persists for historical reasons, but it's actually a TLS certificate

When you see "SSL/TLS" or hear someone say "SSL," they mean **TLS** - the modern, secure version. SSL itself is dead and has been for years. The name just refuses to die because it became so well-known.

***