HTTP is the original protocol for transferring data across the internet.
When a user visits a website, their browser sends an HTTP request to the site’s server. The server returns the page’s content in an HTTP response.
HTTP is insecure
Over HTTP, a browser sends data in plain text, unencrypted, through the internet to a web server, without authenticating the server’s identity. This opens the user to various methods of attack.
- An attacker can eavesdrop on communication between a user and the websites they visit. The attacker can construct a profile of the user based on this metadata.
- Any personal information (login credentials, personal data submitted in forms) shared over HTTP can be stolen by an attacker.
- An attacker can perform a man-in-the-middle attack and impersonate a website or alter its contents. Some ISPs actively do this to inject ads.
HTTPS is Secure HTTP
HTTPS adds encryption, server identification and data integrity on top of HTTP’s data transfer model.
It does not protect a website from other security vulnerabilities. If a website allows user login, a hacker can attempt to crack user accounts with a brute force attack over HTTP or HTTPS.
And there’s more…
Serving a site over HTTPS comes with extra benefits.
- SEO. Google uses HTTPS as a ranking signal.
- Speed. HTTP/2 can deliver your website to browsers quicker. Browsers require HTTPS to use HTTP/2.
- Data encryption security. Passive attackers cannot eavesdrop on conversations.
- Server identification. Man-in-the-middle attackers cannot impersonate a website to a user.
- New browser features are limited to secure sites and capabilities will be deprecated for non-secure sites.