In a Nutshell
HTTPS is HTTP with encryption. The difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses. As a result, HTTPS is far more secure than HTTP. A website that uses HTTP has HTTP:// in its URL, while a website that uses HTTPS has HTTPS://.
Figure 1: HTTP vs HTTPS. Image source: Cloudflare
What is HTTP?
HTTP stands for Hypertext Transfer Protocol, and it is a protocol—or a prescribed order and syntax for presenting information—used for transferring data over a network. Most information that is sent over the Internet, including website content and API calls, uses the HTTP protocol.
There are two main kinds of HTTP messages: requests and responses. HTTP requests are generated by a user's browser as the user interacts with web properties. For example, if a user clicks on a hyperlink, the browser will send a series of "HTTP GET" requests for the content that appears on that page. These HTTP requests go to either an origin server or a proxy caching server, and that server will generate an HTTP response. HTTP responses are answers to HTTP requests.
HTTP requests and responses are sent across the Internet in plaintext. The problem is that anyone monitoring the connection can read these plaintexts. This is especially an issue when users submit sensitive data via a website or a web application. This could be a password, a credit card number, or any other data typed into a form. Essentially, a malicious actor can just read the text in the request or the response and know exactly what information someone is asking for, sending, or receiving, and even manipulate the communication.
The answer to above security problem is HTTPS.
What is HTTPS?
HTTPS stands for Hypertext Transfer Protocol Secure (also referred to as HTTP over TLS or HTTP over SSL). HTTPS uses TLS (or SSL) to encrypt HTTP requests and responses, so instead of plaintext, an attacker would see a series of seemingly random characters.
TLS uses a technology called public-key encryption: there are two keys, a public key, and a private key. The public key is shared with client devices via the server's SSL certificate. The certificates are cryptographically signed by a Certificate Authority (CA), and each browser has a list of CAs it implicitly trusts. Any certificate signed by a CA in the trusted list is given a green padlock lock in the browser’s address bar because it is proven to be “trusted” and belongs to that domain. Companies, like Let’s Encrypt, have now made the process of issuing SSL/TLS certificates free.
When a client opens a connection with a server, each machine needs a verified identity. So, the two devices use the public and private keys to agree on new keys, called session keys, to encrypt further communications between them. All HTTP requests and responses are then encrypted with these session keys so that anyone who intercepts communications can only see a random string of characters, not the plaintext.
In addition to encrypting communication, HTTPS is used for authenticating the two communicating parties. Authentication means verifying that a person or machine is who they claim to be. In HTTP, there is no verification of identity—it is based on a principle of trust. But on the modern Internet, authentication is essential.
Just like an ID card confirms a person's identity, a private key confirms the server's identity. When a client opens a channel with an origin server (e.g. when a user navigates to a website), possession of the private key that matches with the public key in a website's SSL certificate proves that the server is actually the legitimate host of the website. This prevents or helps block a number of attacks that are possible when there is no authentication, such as Man-in-the-middle attacks, DNS hijacking, and domain spoofing.
Differences between HTTP and HTTPS
Based on the above presentation of HTTP and HTTPS, the following table presents the main differences between those two protocols.
Table 1: Differences between HTTP and HTTPS
HTTPS comes with many advantages, both performance and, most important, security-wise. All browsers are strongly encouraging users to trust only websites implementing HTTPS because this is the single measure that can help them mitigate a variety of threats and attacks.