Difference between HTTP and HTTPS

Posted in Articles

Tweet This Share on Facebook Bookmark on Delicious Digg this Submit to Reddit

There are many websites where you have to “login” by entering your username and password. Always check if the page that you are logging into is using “http://” or the “https://” protocol. Just look at the URL on your browser address bar to see if the URL starts with “http://” or “https://”. If it is the former, then your password is being “transmitted in clear text”. If it is the latter, then your password is transmitted via “http over a secured socket layer“. What that means is that your password and whatever data that is being transmitted from your browser to the server is encrypted prior transmission and decrypted on the server side.

How to Tell If you are on HTTPS

Your browser will also indicate whether you are transmitting over a secured socket layer HTTPS by the indication of a lock icon.

secured password transmission on HTTPS

secured password transmission on HTTPS in Firefox

secured password transmission over HTTPS in Internet Explorer

secured password transmission over HTTPS in Internet Explorer

If you are entering sensitive information such as passwords and/or credit card information you want it to be transmitted over “https” as opposed to “http”.

If you are on a financial website or an eCommerce website, you should make sure it is using https. These includes online banking websites, PayPal, shopping sites such as amazon.com, and so on.

Understandably, there are some sites that may have login pages that implemented only in HTTP and where HTTPS protocol is not available. If you do use them, then make sure that the password that you create for your account is not the same as your financial banking password. That way, even if the former password is compromised, your more secured password is not.

What is the Danger

The danger of transmitting passwords and sensitive information over HTTP instead HTTPS is that a hacker can use a “line-sniffer” that can intercept all data being transmitted over certain internet routes. If you password happens to be part of that data that has been “sniffed” and if it is not encrypted, the hacker will be able to see it. HTTPS ensures that even if your data has been captured, it is encrypted and is still not accessible by the hacker.

Note that the hacker does not need to be actively monitoring the line during the time that you transmit the data. The hacker can install line-sniffing software that is run continuously and can be intercepting data over long periods of time.

W3C (World Wide Web Consortium) website says “The use of an encrypted channel or key exchange is always more secure.”

Webmail over HTTP and HTTPS

Many webmail providers have both a HTTP and HTTPS connection method.

For example back in 2008, Windows Live (the new Hotmail login) uses HTTP connection method when you login at http://login.live.com/. But there is a link to enhanced security using HTTPS at https://login.live.com.

Gmail and Yahoo uses the HTTPS protocol.

More Information