Difference between HTTP and HTTPS


Hypertext Transfer Protocol (HTTP) is an application layer protocol used in internet to access web applications. When you type any web address in your web browser, your browser acts as a client, and the computer having the requested information acts as a server. When client requests for any information from the server, it uses HTTP protocol to do so. The server responds back to the client after the request completes. The response comes in the form of web page which you see just after typing the web address and press “Enter”.

For example when we enter www.google.com in a browser the webpage request is sent over http protocol, Hence the URL of the web page would become http://www.google.com

Hypertext Transfer Protocol Secure (HTTPS) is a combination of two different protocols. It is more secure way to access the web. It is combination of Hypertext Transfer Protocol (HTTPS) and SSL/TLS protocol.

The web page communication is done through the typical HTTP Communication protocol and in addition to it the data that is sent over the network is encrypted using the SSL/TLS protocol. It is more secure way to sending request to server from a client, also the communication is purely encrypted which means no one can know what you are looking for. This kind of communication is used for accessing those websites where security is required. Banking websites, payment gateway, emails (Gmail offers HTTPS by default in Chrome browser), and corporate sector websites are some great examples where HTTPS protocols are used.

The HTTPS protocol has two important functionalities:

  • When a web page request is made, the browser checks for response from the legitimate web server by validating the certificate of the web server. Any attempt to give an invalid or tampered certificate would lead to web browser showing a warning message to the user that the web site certificate is invalid 
          An example screenshot of certificate error is as follows:


           The above screenshot is an example when the attacker tries to connect a proxy to the browser user is            currently using, upon receiving such error it is always recommended to leave the browser and check              configuration settings of the browser 

  • The data sent by the user is encrypted with the public key of the web page which is available in the web site certificate. HTTPS performs Asymmetric key/Public key encryption which means the plain text is encrypted to cipher text using the public key of the receiver and the cipher text would be decrypted to plain text with the private key which is known only to the receiver i.e; different keys are used for encryption and decryption. 
         HTTPS is required for all the web applications over HTTP because request/response exchange is                  done in plain text in HTTP, so it is possible for an attacker to perform man in the middle attack on a              web application by sniffing the traffic of the user computer with a packet sniffer such as wireshark to              gain access to the user credentials, session identifiers etc.

         An example screenshot of user login credentials for a HTTP based web application is as follows



Apart from the major differences discussed above there are other differences described as follows:

HTTP
HTTPS
URL begins with “http://”
URL begins with “https://”
It uses port 80 for communication
It uses port 443 for communication
Unsecured
Secured
Operates at Application Layer
Operates at Transport Layer
No encryption
Encryption is present
No certificates required
Certificates required

Comments

Post a Comment

Popular posts from this blog

Exploliting SQL injection flaws using SQLMap

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands SQLMap SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching...
Read more

Importance of enabling Secure and HTTPOnly flag for cookies

Image
Often automated scan results give lot of false positives, some may be legitimate and some are as per design which can be omitted. Most automated scanners give medium level vulnerabilities when the session identifier cookie does not have HTTPOnly and Secure flag enabled. What exactly is the problem? What happens if these flags are disabled for a session identifier? Let me explain as follows: HTTPOnly: The Httponly flag is an additional property that is added to cookies which helps to mitigate accessing cookie information through XSS. Which means declaring a cookie to httponly will restrict the client side script from accessing the cookie and return an empty string Exploitation: Consider a web application which doesn't have HTTPOnly flag enabled, auth_token is the session identifier of the application,upon executing the <script>alert(document.cookie)</script> in the application the output would be  Now let us enable the HTTPOnly flag on the s...
Read more

My encounter with successful social engineering attack

11/8/2018 9:41 AM - I was getting ready to Office when I received a call from one of our relatives, He was telling me about a hacking attempt on his email address due to which he was unable to receive any mail from yesterday, and an email is sent to all his contacts that he is in a life threatening situation in another country and he need money immediately. As a precaution he has changed his password but the issue didn't resolve. He was worried that his company's email and sensitive information is lost. He inquired if I can help him out since I was working in IT, I felt this was a opportunity for me to see hacking attempt first hand, I wanted to spend some time investigating in it, so I've asked him to share his mail details(Which is highly not recommended but at the situation I couldn't help it) and told him I'm heading to office and will have information by evening. This excitement to see what happened got the better off me, so I stayed back at home logging in...
Read more