What is HTTPS?
On the World Wide Web, clients (such as your web browser) exchange data with the web server that a website is hosted on using the hypertext transfer protocol (HTTP). However, HTTP is an insecure means of transmitting information. In order to secure the information, the HTTPS protocol was developed. What HTTPS offers is a more secure web browsing experience in two main ways.
HTTPS prevents man-in-the-middle attacks
HTTP requests and responses are transmitted in plaintext, which means that the information in HTTP requests and responses are unencrypted. An attacker who intercepts HTTP requests and responses can spy on the contents easily or even modify the content.
By using SSL/TLS to secure the HTTP connection (hence a secured HTTP connection is also called HTTPS), information is encrypted during transmission. Even if sensitive information like your online banking username and password information is intercepted while in transit to your bank’s web server, it reads like gibberish because the attacker intercepting it does not have the right key to unscramble the encrypted information.
HTTPS establishes authenticity
By using SSL/TLS certificates, HTTPS can establish the authenticity of the web server that is hosting a domain. When you enter a domain name in your browser’s address bar, how does your web browser know that the web server that it is talking to after resolving the domain name’s IP address is really owned by the owner of the domain name?
Imagine booking a vacation home on Airbnb. To establish that the vacation home that you arrived at indeed belongs to the owner who posted the listing, Airbnb provides you with information about the vacation home in the official booking confirmation, such as the owner’s name, contact number, and pictures about the property. When you arrive at the vacation home, if all the officially supplied information from Airbnb checks out, you can be sure that you are indeed at the right place.
Similarly, the SSL/TLS certificate supplies the necessary information to verify a web server’s identity to the browser. This prevents spoofing attacks where a malicious attacker tries to trick a user into believing that the user is on the real website when in reality, the user is on a fake website created by the attacker. Because the attacker does not have the correct SSL/TLS certificate to prove the web server’s authenticity, your browser will alert you that malicious attackers might be trying to steal your data by tricking you.
Cost of implementing HTTPS
Given the benefits of secured information transmission through HTTPS, why isn’t HTTPS universal? One key reason is because organizations that issue SSL/TLS certificates (known as Certificate Authorities) charge money to issue these certificates. However, with the advent of non-profit CAs such as Let’s Encrypt issuing free SSL/TLS certificates, cost is no longer a concern and many more websites can now implement HTTPS to secure information transmission between clients and web servers.