IBM Z and LinuxONE - Solutions - Group home

HTTP, HTTPS, SSL and TLS explained in an easy-to-understand way

  
HTTP stands for “HYPERTEXT Transfer Protocol” and is probably the most widely used protocol in the world today. HTTP is the protocol that is used for viewing web pages on the Internet. In standard HTTP, all the information is sent in clear text. Thus, with HTTP, all the information gets exchanged between your computer and the web server (and this includes any text that you type on a website on your computer) over the public internet in clear text and is, therefore, vulnerable to a hacker. Normally, this is not going to be a big deal if you are just browsing your regular websites and no sensitive data, such as passwords or credit card information, are being used. But, if you were to type in some personal sensitive data, such as your address details, phone number, Social Security Number (SSN), passwords or credit card information, that sensitive information has to go from your computer, travel across the public internet to get to a particular web server. This makes your sensitive data vulnerable because a hacker can listen in as the data is being transferred, and steal your valuable information. So, this is a very big problem as far as security is concerned – and, thus, was born HTTPS.

HTTPS stands for “Secure HYPERTEXT Transfer Protocol” – the ‘S’ in HTTPS stands for ‘Secure’. HTTPS is HTTP, but with a security feature. Secure HTTP (HTTPS) encrypts the data that is being retrieved by HTTP. It ensures that all the data that is being transferred over the internet between computers and servers is secure – even if a hacker gets his hand to the data, it would be virtually impossible for him to read the data. Security is ensured using encryption algorithms to scramble the data that is being transferred.

When you type in a web address (www.google.com, for example) on your favorite browser, you might notice that HTTPS is automatically added at the beginning of the web address and this indicates that you are using secure HTTP (HTTPS) to retrieve the web page – you have entered a secure website where sensitive data that is going to be passed will be protected. In addition to HTTPS being added at the beginning of the web address, a lot of web browsers will also show a ‘PADLOCK’ symbol in the address bar to indicate that secure HTTP (HTTPS) is being used. Thus, if you were to go to a website that requires you to enter personal information such as passwords or credit card numbers, you should ensure that the website uses secure HTTP (HTTPS).

Web Address - HTTPS and the 'PADLOCK' Symbol
Web Address: HTTPS and the "PADLOCK" symbol



What happens with HTTP?


Image describing what happens with HTTP
Image describing what happens with 'HTTP'



What happens with HTTPS?

Image depicting what happens with HTTPS
Image depicting what happens with 'HTTPS'


Thus, by using secure HTTP (HTTPS), all the data including anything that you type, is no longer sent in clear text; it’s scrambled in an unreadable form, as it travels across the internet. So, if a hacker would have been trying to steal your information, what he would get is a bunch of meaningless data, which he cannot make any sense out of – that is because the data is encrypted and the hacker would not be able to easily crack the encryption to unscramble the data.


Secure HTTP (HTTPS) protects the data by using one of the following two protocols.
                    > SSL, and
                    > TLS

SSL stands for ‘Secure Sockets Layer’. It is a protocol that is used to ensure security on the internet and uses public key encryption to secure data. When a computer connects to a website that uses SSL, the computer’s web browser will ask the website to identify itself. Then, the web server will send the computer a copy of its SSL Certificate. An SSL Certificate is a digital certificate that is used to authenticate the identity of a website. It is basically used to let your computer know that the website you are visiting is trustworthy. Then, the computer’s browser will check to make sure that it trusts the certificate and if it does, it will send a message to the web server. The web server will then respond back with an acknowledgement so that an SSL session can proceed. After all these steps are complete, encrypted data can now be exchanged between your computer and the web server.

The other protocol that secure HTTP (HTTPS) can use is called TLS (Transport Layer Security). TLS is the latest industry standard cryptographic protocol and is the successor to SSL. TLS authenticates the server, client and encrypts the data.


It is also important to point out here that a lot of websites are now using secure HTTP (HTTPS) by default, regardless of whether any sensitive data is going to be exchanged or not. And, a lot of this has to do with GOOGLE because GOOGLE flags websites as “not secure” if they are not protected with SSL and if a website is not SSL protected, GOOGLE will penalize that website in their search rankings. That is why, if you visit any major website nowadays, you will notice that secure HTTP (HTTPS) is being used by the website, rather than the standard HTTP.


**********************************************************************************************************
The author of the technical article, Subhasish Sarkar (SS), is an IBM Z Champion for 2020.
**********************************************************************************************************