HTTP vs HTTPS – SSL/TLS, Certificates & Security
1. What is HTTP?
HTTP (Hypertext Transfer Protocol) is the application-layer protocol that defines how web browsers and web servers communicate. It is a request-response protocol: the client (browser) sends a request and the server replies with a response. HTTP is stateless — each request is independent; the server holds no memory of previous requests unless additional mechanisms (cookies, sessions) are used.
HTTP Request/Response Flow:
Browser Web Server
│ │
│── TCP SYN ──────────────────────────▶ │
│◀─ TCP SYN-ACK ────────────────────── │
│── TCP ACK ──────────────────────────▶ │ (TCP 3-way handshake on port 80)
│ │
│── HTTP GET /index.html HTTP/1.1 ─────▶ │ (Request — PLAINTEXT)
│ Host: example.com │
│ │
│◀─ HTTP/1.1 200 OK ────────────────── │ (Response — PLAINTEXT)
│ Content-Type: text/html │
│ <html>...page content...</html> │
Problem: Everything above is readable by anyone who can intercept the traffic
Related pages: DNS Purpose | DNS Lookup | DNS Configuration | Firewalls | OSI Model | Wireshark
2. What is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) is HTTP wrapped inside a TLS (Transport Layer Security) tunnel. The request-response model is identical to HTTP, but before any HTTP data is exchanged, a TLS handshake establishes an encrypted channel. Everything transmitted — URLs, headers, cookies, form data, responses — is encrypted end-to-end.
HTTPS Connection Flow:
Browser Web Server
│ │
│── TCP SYN ──────────────────────────▶ │
│◀─ TCP SYN-ACK ────────────────────── │
│── TCP ACK ──────────────────────────▶ │ (TCP handshake on port 443)
│ │
│═══════ TLS HANDSHAKE ══════════════════│ (Certificate exchange,
│ (see Section 5) │ key agreement — BEFORE
│════════════════════════════════════════│ any HTTP data flows)
│ │
│── [ENCRYPTED] GET /index.html ───────▶ │ (Request — encrypted)
│◀─ [ENCRYPTED] 200 OK + content ────── │ (Response — encrypted)
An interceptor sees only: [encrypted bytes] — cannot read content or URL path
3. HTTP vs HTTPS — Full Comparison
| Feature | HTTP | HTTPS |
|---|---|---|
| Port number | 80 | 443 |
| URL prefix | http:// |
https:// |
| Encryption | None — all data transmitted in plaintext | TLS encryption — all data encrypted end-to-end |
| Data security | Vulnerable to interception, eavesdropping, and modification | Protected — interceptor sees only encrypted bytes |
| Server authentication | None — client cannot verify it is talking to the real server | Yes — server identity proven by digital certificate signed by a trusted CA |
| Data integrity | No protection — content can be silently modified in transit | HMAC (Hash-based Message Authentication Code) detects any tampering |
| Browser indicator | "Not Secure" warning (Chrome/Firefox) on pages with input fields | Padlock icon in address bar |
| SEO ranking | Lower — Google has used HTTPS as a ranking signal since 2014 | Higher — Google favours HTTPS sites in search results |
| HTTP/2 support | Limited — HTTP/2 is technically possible over plaintext but no major browser supports it | Full — all browsers require TLS for HTTP/2 (h2) |
| Cookie security | Cookies transmitted in plaintext — can be stolen by attacker | Cookies encrypted; Secure flag ensures cookies only
sent over HTTPS |
| OSI layer | Application Layer (Layer 7) | Application Layer (Layer 7) over TLS (Session Layer / Layer 5–6) |
4. HTTP Methods
HTTP defines a set of request methods (also called verbs) that indicate the action to be performed on the resource identified by the URL. These apply to both HTTP and HTTPS.
| Method | Action | Request Body? | Typical Use |
|---|---|---|---|
| GET | Retrieve a resource | No | Loading a web page, fetching images, API read requests |
| POST | Submit data to be processed | Yes | Form submissions, login credentials, file uploads |
| PUT | Replace a resource entirely | Yes | REST API — full update of a record |
| PATCH | Partially update a resource | Yes | REST API — partial update (change one field) |
| DELETE | Delete a resource | No | REST API — remove a record |
| HEAD | Retrieve headers only (no body) | No | Check if a resource exists; get metadata without downloading content |
| OPTIONS | Describe communication options for the target resource | No | CORS preflight requests; API capability discovery |
Security implication of GET vs POST: GET parameters appear in the URL
(e.g.,
?user=john&pass=secret) which is logged in browser
history, server access logs, and proxy logs — never use GET for sensitive
data. POST parameters go in the request body and are not visible in the URL.
However, neither GET nor POST provides confidentiality over HTTP — both are
plaintext. Only HTTPS encrypts the body and the URL path.
5. HTTP Status Codes
Every HTTP response includes a three-digit status code that describes the outcome of the request. Status codes are grouped into five classes.
| Class | Range | Meaning | Common Examples |
|---|---|---|---|
| 1xx | 100–199 | Informational — request received, processing continues | 100 Continue, 101 Switching Protocols (WebSocket upgrade) |
| 2xx | 200–299 | Success — request received, understood, and processed | 200 OK, 201 Created, 204 No Content |
| 3xx | 300–399 | Redirection — client must take additional action | 301 Moved Permanently, 302 Found (temp redirect), 304 Not Modified (use cache) |
| 4xx | 400–499 | Client Error — request has an error | 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests |
| 5xx | 500–599 | Server Error — server failed to fulfil a valid request | 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout |
HTTP to HTTPS redirect: When a web server forces all HTTP traffic to
HTTPS, it returns 301 Moved Permanently with a
Location: https://... header. The browser then makes a new
request to the HTTPS URL. A 301 is cached by the browser, so subsequent visits
go directly to HTTPS without an HTTP round trip.
6. SSL and TLS — Version History
SSL (Secure Sockets Layer) was the original encryption protocol developed by Netscape in the 1990s. It was superseded by TLS (Transport Layer Security), which is the modern standard. Despite TLS being the correct term, the term "SSL" is still widely used colloquially.
| Protocol | Year | Status | Notes |
|---|---|---|---|
| SSL 1.0 | 1994 | Never released — critical flaws found | Internal Netscape only |
| SSL 2.0 | 1995 | Deprecated — must be disabled | Multiple serious vulnerabilities; DROWN attack |
| SSL 3.0 | 1996 | Deprecated — must be disabled | POODLE attack (2014); completely broken |
| TLS 1.0 | 1999 | Deprecated (RFC 8996) | BEAST attack; PCI-DSS requires disabling since 2018 |
| TLS 1.1 | 2006 | Deprecated (RFC 8996) | Major browsers removed support in 2020 |
| TLS 1.2 | 2008 | Current — widely deployed | Secure when configured with modern cipher suites; still the minimum required by PCI-DSS |
| TLS 1.3 | 2018 | Current — recommended | Faster handshake (1-RTT vs 2-RTT); removed legacy cipher suites; forward secrecy mandatory; all major browsers support |
Exam tip: On the CCNA exam, TLS 1.2 and TLS 1.3 are the current
standards. SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are all deprecated and
should be disabled on any modern server. Any question referring to "SSL"
in a modern context is almost certainly referring to TLS.
7. The TLS Handshake — Step by Step
The TLS handshake is the process by which the browser and server agree on encryption parameters and establish a shared secret key before any application data flows. TLS 1.2 and TLS 1.3 use slightly different handshake flows; below is TLS 1.2 (the more commonly tested version).
TLS 1.2 Handshake (2 Round Trips — 2-RTT):
Browser (Client) Web Server
│ │
│── ClientHello ─────────────────────▶ │
│ TLS version supported (max 1.2) │
│ Cipher suites supported │
│ Client Random (32 random bytes) │
│ │
│◀─ ServerHello ────────────────────── │
│ Selected TLS version │
│ Selected cipher suite │
│ Server Random (32 random bytes) │
│ │
│◀─ Certificate ────────────────────── │
│ Server's digital certificate │
│ (contains server's public key) │
│ │
│◀─ ServerHelloDone ────────────────── │
│ │
[Browser validates certificate: │
- Is the CA trusted? (check CA root store) │
- Is it expired? │
- Does CN/SAN match the hostname? │
- Is it revoked? (OCSP/CRL check)] │
│ │
│── ClientKeyExchange ───────────────▶ │
│ Pre-master secret encrypted with │
│ server's public key │
│ │
[Both sides derive the same session keys │
from: pre-master secret + client random │
+ server random → Master Secret → Keys] │
│ │
│── ChangeCipherSpec ────────────────▶ │
│── Finished (encrypted) ────────────▶ │
│◀─ ChangeCipherSpec ───────────────── │
│◀─ Finished (encrypted) ───────────── │
│ │
│══ ENCRYPTED HTTP DATA FLOWS ══════════ │
TLS 1.3 Improvements
- 1-RTT handshake — completes in one round trip instead of two, reducing latency
- 0-RTT session resumption — previously connected clients can send data in the very first message (with some security trade-offs)
- Forward Secrecy mandatory — every session uses ephemeral key exchange (ECDHE); compromise of the server's private key cannot decrypt past sessions
- Removed insecure options — RSA key exchange, MD5/SHA-1, RC4, DES, and 3DES cipher suites all removed; only AEAD (Authenticated Encryption) allowed
8. Digital Certificates and Certificate Authorities
A digital certificate (X.509 certificate) is an electronic document that binds a public key to an identity (domain name, organisation) and is digitally signed by a trusted third party — a Certificate Authority (CA). Browsers and operating systems ship with a pre-installed list of trusted root CAs. When a server presents a certificate signed by one of these trusted CAs, the browser accepts it as proof of identity.
Certificate Types
| Type | Validation Level | What Is Verified | Browser Indicator | Use Case |
|---|---|---|---|---|
| DV (Domain Validation) | Low | Domain ownership only — CA confirms you control the domain | Padlock | Blogs, personal sites, most HTTPS deployments; issued in minutes (Let's Encrypt) |
| OV (Organisation Validation) | Medium | Domain + legal organisation identity verified by CA | Padlock | Business websites where organisation identity matters |
| EV (Extended Validation) | High | Domain + rigorous legal/physical/operational verification | Padlock (some browsers showed green bar — now deprecated in modern browsers) | Banks, financial institutions, government sites — highest trust indication |
| Wildcard | DV or OV | Domain + all immediate subdomains (*.example.com) | Padlock | Organisations with many subdomains (mail.example.com, api.example.com, etc.) |
| SAN / Multi-Domain | DV or OV | Multiple distinct domains in one certificate (Subject Alternative Names) | Padlock | Hosting multiple sites on one server; example.com, example.org, example.net in one cert |
Certificate Chain of Trust
Root CA (self-signed, pre-installed in OS/browser trust store)
│
│ signs
▼
Intermediate CA (signed by Root CA)
│
│ signs
▼
Server Certificate (example.com — signed by Intermediate CA)
Browser verification:
1. Server sends: [Server Cert] + [Intermediate CA Cert]
2. Browser checks: Is Intermediate CA signed by a Root CA I trust?
3. Browser checks: Is Server Cert signed by this Intermediate CA?
4. Browser checks: Is the certificate valid today? (not expired)
5. Browser checks: Does CN or SAN match the hostname I'm connecting to?
6. Browser checks: Is the certificate revoked? (OCSP stapling)
→ All pass → Padlock shown → Encrypted connection established
9. HTTPS Security Benefits — Confidentiality, Integrity, Authentication
HTTPS provides three distinct security properties, each protecting against different attack vectors.
| Property | What It Protects | Without HTTPS (HTTP) | With HTTPS |
|---|---|---|---|
| Confidentiality | Content of communications — usernames, passwords, credit card numbers, private messages | Anyone on the same network (coffee shop Wi-Fi, ISP, attacker with packet sniffer) can read all data | All data encrypted — interceptor sees only ciphertext |
| Integrity | Ensures data is not modified between sender and receiver | Attacker can silently modify web page content in transit — inject ads, malware, or false information | HMAC attached to each record; any modification detected and connection terminated |
| Authentication | Proves you are connected to the legitimate server, not an impersonator | Attacker can impersonate example.com with no way for the browser to detect it | Certificate signed by trusted CA proves server identity; browser rejects invalid/mismatched certificates |
10. Attacks Against HTTP and HTTPS
| Attack | Target | Method | Mitigation |
|---|---|---|---|
| Passive Eavesdropping | HTTP only | Attacker captures unencrypted HTTP traffic on shared network (Wi-Fi sniffing, ARP poisoning / Wireshark capture) | Use HTTPS — encryption makes intercepted traffic unreadable |
| Man-in-the-Middle (MitM) | HTTP + HTTP | Attacker positions between client and server, relaying and optionally modifying all traffic | HTTPS with certificate validation — client verifies server identity; MitM cannot present a valid cert for the target domain |
| SSL Stripping | HTTPS downgrade | MitM intercepts initial HTTP request before redirect to HTTPS, maintains HTTP to victim while connecting HTTPS to server — victim never knows HTTPS was available | HSTS (HTTP Strict Transport Security) — browser remembers that the site requires HTTPS and refuses HTTP connections; HSTS Preload list ensures even first visit is HTTPS |
| Certificate Spoofing | HTTPS | Attacker presents a forged or rogue certificate for a domain | CA validation chain — browser only accepts certificates signed by trusted root CAs; Certificate Transparency (CT) logs detect rogue issuance |
| POODLE | SSL 3.0 | Forces downgrade to SSL 3.0, exploits padding oracle vulnerability | Disable SSL 3.0 entirely on all servers |
| BEAST | TLS 1.0 | Browser Exploit Against SSL/TLS — exploits CBC mode in TLS 1.0 | Upgrade to TLS 1.2/1.3; disable TLS 1.0 |
| Expired/Invalid Certificate | HTTPS | Server presents expired or hostname-mismatched certificate | Monitor certificate expiry; automate renewal (Let's Encrypt + certbot); use wildcard/SAN certs for subdomains |
11. HSTS — HTTP Strict Transport Security
HSTS is a web security policy mechanism that forces browsers to interact
with a server only over HTTPS, even if the user types http:// or
clicks an HTTP link. The server sends an HTTP response header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload │ │ │ │ │ │ │ └─ Submit for HSTS preload list │ │ └─ Apply to all subdomains │ └─ Browser remembers HSTS for 1 year (31536000 seconds) └─ HSTS header name
Once a browser has received this header, for the max-age
duration it will:
- Automatically rewrite
http://example.comtohttps://example.combefore sending any request - Refuse to connect if the TLS certificate is invalid — no option to "proceed anyway" (unlike the normal browser certificate warning)
- Block SSL stripping attacks because the first request never goes over HTTP at all
The first-visit problem and HSTS Preload: HSTS only works after the
browser has visited the site once and received the header. The very first visit
is still vulnerable to SSL stripping. The HSTS Preload list (maintained
at hstspreload.org and built into Chrome, Firefox, Safari, Edge) solves this by
hardcoding domains that always require HTTPS — even on the very first visit.
12. HTTP/2 and Performance
HTTP/2 (RFC 7540) is a major revision of HTTP designed to improve performance over HTTP/1.1. While technically usable over plaintext (h2c), every major browser requires HTTPS (h2) to use HTTP/2. This makes HTTPS a prerequisite for modern web performance.
| Feature | HTTP/1.1 | HTTP/2 |
|---|---|---|
| Multiplexing | One request per TCP connection (or pipelining — poor support) | Multiple requests and responses simultaneously over a single TCP connection |
| Header compression | Headers sent as plaintext, repeated on every request | HPACK compression — headers compressed and cached; dramatically reduces overhead |
| Server push | Client must request every resource | Server can proactively push resources (CSS, JS) before client requests them |
| Binary framing | Text-based protocol | Binary framing — more efficient parsing, less error-prone |
| TLS requirement | Optional | Mandatory for browser support (h2 requires TLS) |
TLS handshake overhead: The TLS handshake adds latency to the first
connection (1–2 additional round trips for TLS 1.2; 1 for TLS 1.3). Session
resumption (TLS session tickets) eliminates the handshake cost for
reconnections. On modern hardware and networks, TLS adds <1 ms of CPU
overhead per request — the performance argument against HTTPS is obsolete.
13. Implementing HTTPS — Step-by-Step
- Obtain a certificate from a trusted CA: For free certificates, use Let's Encrypt (automated, DV certificates, 90-day validity, auto-renewable via certbot). For paid certificates with OV/EV validation, use DigiCert, Sectigo, GlobalSign, or similar. Internal-only servers can use a private/internal CA.
-
Install the certificate on the web server:
# Apache — in VirtualHost block: SSLEngine on SSLCertificateFile /etc/ssl/certs/example.com.crt SSLCertificateKeyFile /etc/ssl/private/example.com.key SSLCertificateChainFile /etc/ssl/certs/intermediate.crt # Nginx: server { listen 443 ssl; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; } -
Redirect all HTTP traffic to HTTPS:
# Apache — in port 80 VirtualHost: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Nginx: server { listen 80; server_name example.com; return 301 https://$host$request_uri; } -
Enable HSTS to prevent SSL stripping attacks:
# Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" # Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-
Configure strong cipher suites and disable legacy protocols:
# Nginx — recommended TLS configuration: ssl_protocols TLSv1.2 TLSv1.3; # Disable SSL 2/3, TLS 1.0/1.1 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...; ssl_prefer_server_ciphers off; # Let client choose (TLS 1.3)
-
Automate certificate renewal (Let's Encrypt certificates expire
every 90 days):
# Certbot — runs renewal check twice daily via cron/systemd: 0 0,12 * * * root certbot renew --quiet
14. Key Points & Exam Tips
- HTTP: Port 80, plaintext, no authentication, no encryption, no integrity protection.
- HTTPS: Port 443, encrypted via TLS, server authentication via digital certificate, data integrity via HMAC.
- HTTP methods: GET (retrieve), POST (submit), PUT (replace), DELETE (remove), HEAD (headers only). GET parameters appear in URL — never use for passwords.
- HTTP status codes: 2xx = success, 3xx = redirect, 4xx = client error (404 Not Found, 401 Unauthorized), 5xx = server error.
- TLS versions: SSL 2/3 and TLS 1.0/1.1 are deprecated and must be disabled. TLS 1.2 is the minimum; TLS 1.3 is preferred.
- TLS handshake: ClientHello → ServerHello → Certificate → key exchange → session keys derived → encrypted channel established.
- TLS 1.3 advantages: 1-RTT (faster), mandatory forward secrecy (ECDHE), removed legacy ciphers.
- Certificate chain: Root CA → Intermediate CA → Server certificate. Browser validates the full chain to a trusted root.
- Certificate types: DV (domain only), OV (organisation verified), EV (extended validation), Wildcard (*.domain.com), SAN (multiple domains).
- HSTS forces browser to always use HTTPS; prevents SSL stripping;
max-agecontrols how long; HSTS Preload solves the first-visit problem. - MitM attack over HTTP: attacker intercepts and reads/modifies all traffic. HTTPS with certificate validation defeats MitM.
- HTTP/2 requires TLS in all major browsers — HTTPS is a prerequisite for modern web performance.
- HTTP 301 redirect sends browsers from HTTP to HTTPS permanently.
- Let's Encrypt provides free, automated DV certificates — widely used for most HTTPS deployments.
Related pages: DNS Purpose | DNS Lookup | DNS Configuration | Firewalls | OSI Model | Wireshark