HTTP vs. HTTPS

In an age when security on the internet is of the utmost importance, secure transmission of data is often an issue especially financial or other sensitive information.
That is why websites will begin with either http or https.

WHAT is HTTP and HTTPS?

HTTP stands for “Hypertext Transfer Protocol”. Add the “s” and you have “Hypertext Transfer Protocol Secure”.
HTTP is a request-response protocol. This means that the server is answering a request for information, and sends it without controlling how it gets there.
HTTPS uses a series of communications between the client (for example, your computer) and the server (the computer which will send you the information) to be sure that you are sending your information to only the server and to verify the source of the information and to ensure its security by using Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL).

Using your computer at the coffee shop? Check out Using Public Wi-Fi

Let’s illustrate this. You request a package to be delivered from Toronto to Halifax. Once the package is requested, you just wait for it to arrive. You leave it to the sender to choose how it is packaged and shipped and hope it arrives, and it usually does. This is how a server sends info to a computer via HTTP.

But what if the package is very valuable? Now, first of all, you want to be very careful from whom you order the package. Are they to be trusted, and are they reliable? When you verify the integrity of the supplier, you now ask them to disguise the packaging so that the package cannot be identified so that its value cannot be determined. The package is also locked and cannot be opened, except by the person for whom it was intended. Then you take care to have it shipped by a certified shipper who will track its movement carefully and ensure that it arrives at your house, and not somewhere else. The handler of the package makes sure that the right package is picked up and will not deliver it until it can verify that it is going to the right place. Even if it was intercepted, it would be so disguised that the thief would not know what to do with it, or its value.

You will notice if you click on a website, such as www.scotiabank.com it will be http. You can navigate around the site and it will use http. The data you are looking at is general in nature and it is for everyone to see, so there is no need to encrypt it. However, when you click the sign in button the address looks like this: https://www2.scotiaonline.scotiabank.com/online/authentication/authentication.bns

Notice the https? This is private data that is for the exclusive use of you, the client and the server site, so it changes to https. Now there is a more direct communication between the client and server. As well the use of TLS or SSL will actually modify the data, called encrypting, to the point where it is very difficult or impossible to decipher, and send it either to or from your computer. When it gets to the other end, the encryption is removed, and the data is used. The idea is that even if someone were able to interrupt the data flow and capture it, it would be so scrambled that it would be impossible to decipher and use.

So why not just use HTTPS all the time? The multiple processes involved take more time to execute, and therefore data moves slower. As well there is extra cost is involved for the services of the trusted third-party who provides the certificate.  Multiply this by thousands of data requests and a large site requires extra resources to process. HTTP, on the other hand moves data faster because the encryption process is not required. That is why even reputable sites, like your bank or www.amazon.com will use http until you are going to log in and then https is used.

The certificate is checked by your browser when a HTTPS site comes up. If it can’t verify the certificate you may see this on your screen.

website's security certificate

If you “Continue to this website (not recommended)”, you may not be going where you intended. If you are sending personal information, you may be exposed to a “phishing scam”, where people try to obtain your valid information for their own not so honourable use. “More information” will help you through some of the options to verify the site. This doesn’t mean that the website is bad, but only that it can’t be verified as good. It may mean that its certificate has expired, but there is definitely a need for caution.

You can view the certificate for a https website by right-clicking on a blank spot on the page. Click Properties (usually at or near the bottom of the drop down list). On the properties window you will see the Certificates button. Click on that to view information about the certificate.

Conclusion: If you are sending sensitive information think “Secure” and look for https.

 

For further information: http://www.biztechmagazine.com/article/2007/07/http-vs-https

http://en.wikipedia.org/wiki/HTTP_Secure

http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

 

Leave a Reply