HTTPS , HTTP: definition, differences, application

What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) allows encrypted connections to be established on the Internet. The protocol is used by most websites and online services today to protect sensitive data from unauthorized access and manipulation during transmission.

Myra Services on this topic: Fully automated protection against overload attacks requiring minimal effort with Myra DDoS Protection

HTTPS: a definition

The Hypertext Transfer Protocol Secure (HTTPS) is a communication protocol on the World Wide Web that, in contrast to HTTP (Hypertext Transfer Protocol), allows data to be transmitted in encrypted form, making it as secure as possible against eavesdropping and forgery. Initially, webmasters used HTTPS technology exclusively on websites where sensitive content was processed – e.g., in online banking or e-commerce. In the meantime, however, the encrypted transmission protocol has become the standard on the Internet. Most site operators secure their online presence with HTTPS – if only to rank better in search engines. In most browsers, a padlock symbol indicates HTTPS-encrypted content, while unprotected pages are marked as potentially insecure.

How does HTTPS work?

HTTP and HTTPS both work according to the client-server principle. The web browser usually acts as the client and the web server as the HTTP server. To access a web page, the web browser sends a request to the web server, which processes it, sends back a response, and closes the connection. The request and response consist of a header with control information and the actual data. The communication itself is based on the text format and takes place via TCP (Transmission Control Protocol) on port 80.

In the request, the browser addresses a file on the server that the server should send to it. To do this, it transmits a URL in the header, which consists of the transport protocol (http://), the server's name (optional), the domain name and the final top-level domain (e.g., .de or .com). With HTTPS, the server additionally authenticates itself to the client by means of an SSL/TLS certificate (Secure Sockets Layer / Transport Layer Security). The client sends the server a random number that has been encrypted with the server's certificate. The client and server then calculate a key that is used to encode further communication.

Why use HTTPS?

Although only very few online portals process highly sensitive content, an unprotected website can still pose a threat to site visitors. For example, cybercriminals use unencrypted connections to corrupt connections and distribute malware on modified websites. Man-in-the-middle attacks (MITM) are used for this purpose, in which attackers hijack the communication between the user client and the web server of the respective website and take control of the data traffic.

Such MITM attacks often form the starting point for more extensive attacks on the systems of site visitors and the underlying network. In combination with other attack vectors such as spear phishing, it is also possible to infiltrate companies, government agencies and other organizations. To counter this danger, all websites and services on the network should be consistently encrypted with HTTPS.

How secure is HTTPS?

It is much more difficult for attackers to eavesdrop on, manipulate or take over HTTPS-encrypted sessions than it is with conventional HTTP connections. However, even HTTPS does not guarantee 100% security, because SSL/TLS is not immune to implementation errors and vulnerabilities despite all the care taken. In addition, some cybercriminals use the technology for their malware and phishing attacks, for example to give manipulated websites a confidential appearance. Nevertheless, HTTPS is a central piece of the puzzle for more IT security on the Internet, which is why all webmasters and site operators should use encryption.

HTTPS: what you need to know

Technically, HTTPS is the combination of traditional HTTP connections and SSL/TLS encryption. SSL/TLS certificates are required for the unique authentication of servers and domains, which provide the public key for establishing the secured sessions. Once the legitimacy of the domain is ensured and the necessary key pairs have been exchanged between the client and the web server, a protected HTTPS connection can be established on the Internet. Encryption makes it difficult for attackers to eavesdrop or manipulate data traffic during transmission.

Myra DDoS Protection also filters HTTPS-protected traffic and allows easy management of the SSL/TLS certificates required for this purpose. In addition, the Myra experts use SSL cipher management to ensure that the TLS configuration always complies with the latest security standards.

Want to learn more about our solutions, use cases and best practices for attack prevention? In our download area you will find product sheets, fact sheets, white papers and case studies.

To the download area