Have you ever wondered what the little green padlock on the left side of your web browser address bar is? Are you setting up your first website and want to make sure your users can securely visit your website while also optimizing your Google search results?
Then you’ve come to the right place, as this article will help shed some light on what exactly HTTP vs. HTTPS means to you, both as a user and a website owner.
Unless you have a tech background, it can be difficult to understand the differences between the two, and any explanation will inevitably be filled with jargon and technical terms that you’re probably not familiar with.
Although it’s impossible to explain how the protocols operate without some technobabble, this article aims to do so in layman’s terms, explaining technical phrases when they appear.
What Is HTTP?
HTTP stands for Hypertext Transfer Protocol and, simply put, it’s what is responsible for taking a website and delivering it to users who are trying to access it. Basically, when a client (for example, a web browser) sends an HTTP request to the server, a response is returned that includes the website or resource the client is requesting, as well as some metadata.
Because HTTP operates on the application layer, it requires a transport layer protocol to actually relay the message. By default, HTTP assumes a reliable transport protocol and generally uses the Transmission Control Protocol (TCP) for this purpose, but it can also be modified to use less reliable protocols, such as the User Datagram Protocol (UDP).
What’s important to note is that HTTP is purely concerned with communicating the requests and responses between client and server, ignoring exactly how it’s transported there. Thus, HTTP does not concern itself with the security of the information it’s handling, just that the information gets to its intended destination and looks the way that the owner of the website intended.
HTTP is as old as the internet itself and was developed as part of the World Wide Web project by Tim Berners-Lee at the European Organization for Nuclear Research (CERN) in the late 1980s and early 1990s. Since then, HTTP has been a core component of the internet, being responsible for communication between servers and clients.
For a long time, HTTP was considered sufficient for traffic of a nonconfidential nature, but as concerns have increased over the security and privacy of the World Wide Web, there has been a gradual push toward replacing the old protocol with the much safer HTTPS.
What Is HTTPS?
Technically, the HTTPS protocol is not really a separate protocol to HTTP, but rather HTTP with an additional layer of security provided by TLS transferred over port 443 instead of HTTP’s port 80.
HTTPS was originally created by Netscape in 1995 to provide a secure protocol for transporting webpages between client and server. Originally, the protocol used the Secure Sockets Layer (SSL) to authenticate both ends of the transaction, but it has since then moved to the more secure Transport Layer Security (TLS) protocol.
The difference between SSL and TLS is difficult to explain without getting overly technical, but in layman’s terms, TLS is simply an upgraded and more secure version of SSL that patches up the latter’s various limitations and vulnerabilities.
Because they’re so similar, the SSL name has stuck around, despite it being deprecated, and security certificates are still commonly referred to as “SSL certificates.”
In order to verify the transaction, HTTPS requires that websites be issued SSL certificates by a trusted third-party. For a long time, this was an expensive process for website owners, so the use of HTTPS was largely confined to confidential information, such as banking or credit card transactions, where the additional security was deemed vital.
However, this all changed in 2016 when the Electronic Frontier Foundation ( EFF) launched a campaign to encourage website owners to switch to HTTPS, and a nonprofit named “Let’s Encrypt” started issuing trust certificates to websites free of charge.
Since then, most web browsers have started informing users that their connection is unsecure whenever they’re using regular HTTP. These warnings are sometimes quite difficult to spot, though, which is a criterion we considered when ranking the most secure web browsers.
Although HTTPS is far more secure than the standard HTTP, it’s not perfect. Because it only encrypts the HTTP message itself, it cannot hide some of the metadata that is fundamental to the transaction itself, including IP addresses and port numbers.
This means that while the content of the transaction will be secure, someone eavesdropping will still be able to determine that the connection between client and server has been made, how much data was transmitted across it and for how long the connection was maintained.
Therefore, if you want to ensure total privacy in your online dealings, HTTPS won’t be enough, and you should look into virtual private networks. Our list of the best VPN services is a good place to start, as well as our ExpressVPN review, which is our top pick.
The Difference Between HTTP and HTTPS
As you’ve probably guessed from the above descriptions, the big difference between HTTP and HTTPS is the improved security offered by the latter.
Because HTTPS uses the TLS protocol to authenticate both ends of the transaction, all the data being transferred is protected by encryption, which protects both you and your users from various man-in-the-middle attacks, such as malware injection or just plain, old spying.
In theory, there’s also a performance difference between the two protocols. HTTPS needs to use additional computing resources to perform the TLS handshake, so it is technically a bit slower than HTTP.
However, unless your website receives an immense amount of traffic, this extra server load should barely be noticeable, as it won’t be severe enough to cause any problems.
Should You Switch to HTTPS?
The short answer is, without a doubt, yes. Switching your website and domain from HTTP to HTTPS carries a lot of upsides and barely any downsides. Besides a slight theoretical hit to your performance if you’re averaging huge numbers of visitors, there are no negative consequences from making the switch.
Additionally, switching to HTTPS will not only make your users’ browsing more secure by encrypting their traffic, it will help you, as well, by improving your visibility on Google. The reason this happens is that Google made the decision back in 2014 to give a ranked boost for results with HTTPS addresses.
From the user side of things, you can’t really “switch” to HTTPS, as it’s generally the websites you visit that decide what protocol to use. What you can do is install an extension, such as HTTPS Everywhere (featured in our list of the best security extensions), which will force all websites that are set up for HTTPS to default to that protocol.
Another option is to use a browser like Brave (read our Brave review), which comes with this functionality built in. Beyond this, you should also be aware whenever a website offers only HTTP and take extra care with what information you send over the unsecure connection.
Generally speaking, websites and services that handle any kind of confidential information, such as banking or payment details, will default to HTTPS anyway (and on the off chance that they don’t, you should steer well clear).
However, smaller websites that handle email addresses and other personal information may not, so it’s always useful to be aware of what protocol you’re currently using.
There you have it, everything you need to know about what separates HTTP and HTTPS in as nontechnical a way as we could explain it. If you’re simply a user who doesn’t own your own website, all you really need to know is that HTTPS encrypts and protects the content of the transactions between you and the server you’re trying to reach.
If you own a website, however, it’s something you need to pay more attention to. As Google and other companies or organizations continue to encourage the use of HTTPS, you can easily find yourself in a position where your website loses out to your competition — especially when it comes to SEO — if you don’t make the switch to HTTPS.
What do you think of our guide to HTTP and HTTPS? Have we demystified some common technical terms, or are you still struggling to understand the difference between the two? Perhaps we missed some details you think are crucial? Let us know in the comments below. As always, thank you for reading.