What are the differences between HTTP and HTTPS?

Tips & tricks
4 mins

If you’re a veteran internet user, you’ll remember a time when you had to type “http://” into your browser before every web address to load and access a certain site. These days, our browsers add this protocol automatically—however, most websites now use HTTPS instead of HTTP.

For example, take a look at your browser’s address bar—the place where it says “expressvpn.com/blog/”. Now, click on it twice. You should see a little padlock icon alongside the “https://” at the beginning of the URL.

A browser address bar showing https and the lock icon.


These two elements signal that your connection to our site is encrypted and secure, and that your sensitive information such as credit card numbers and login details are protected.

So, what’s the difference between HTTP and HTTPS, and why do websites sporting HTTP replace that reassuring little padlock with a “Not secure” message? Let’s find out.

What is HTTP?

HTTP stands for Hypertext Transfer Protocol. It’s what enables web browsers and servers to communicate with the internet.

It works by sending requests and receiving responses. When you want to interact with a web page, your browser sends an HTTP request. This request is sent to the host server, which then answers your browser’s HTTP request by generating an HTTP response. However, there’s a major problem with HTTP.

While HTTP is essential for browsing, it does nothing to prevent personal information from being leaked online as it lacks any form of encryption. This is because all data communicated via HTTP is sent and received as plain text, meaning that it can be intercepted and read by anyone who’s looking, including criminals.

For example, if you log into a website that uses HTTP, it’s very easy for someone to see your login details as this data isn’t encrypted.

So, while HTTP used to be the standard, it’s now being shunned by websites because it’s not considered safe. This is where that extra S in HTTPS comes in. 

What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is a more secure version of HTTP. It uses the same requests and response systems as HTTP, but with the addition of an encryption protocol known as TLS (Transport Layer Security)—the successor to the SSL (Secure Sockets Layer) protocol.

This end-to-end encryption ensures that a user’s sensitive data—such as banking details, usernames, passwords, or credit card information—can’t be leaked online. Therefore, it’s essential that any website that requires login details should use HTTPS.

For a website to get an HTTPS certificate, it needs to be checked by a Certificate Authority (CA). Your browser recognizes this certificate in the form of a little padlock—as seen in the example above. As a general rule, you can click on the icon next to any web address in your browser to find out more information about its certificate, or the lack thereof.

Read more: The internet is safer now—but a VPN is still essential protection

How does HTTPS encryption work?

TLS uses public key encryption to secure communication between your browser and the host server. There are two keys—a public key and a private key:

Public key: As its name implies, this key is available to anyone interacting with the server hosting the site you’re trying to access. The public key encrypts information about your interactions with the website—info that only the private key can decrypt.

Private key: This key is controlled by the owner of the website that you’re trying to access, and resides on its server. It is kept private and used to decrypt the information encrypted by the public key.

Before data transfer takes place, your browser and the host server need to perform an SSL/TLS handshake. This handshake is needed in order to establish a secure connection.

Differences between HTTP and HTTPS


HTTPS is far more secure than HTTP. The latter doesn’t encrypt the connection between your browser and the host server. Every time you interact with a web page using HTTP, your activity can be seen by anyone interested in gathering that information—including hackers and your internet service provider. 


While the encryption of HTTPS makes it slightly slower than HTTP, content on HTTPS sites will likely load faster than the same content over HTTP. One reason (of several) is with HTTP, the page loads one element at a time over, whereas multiple elements can load at the same time over HTTPS.


HTTP has mostly been phased out across the internet, although it can still be found on small blogs and even online shops. (Not on ExpressVPN Blog, of course. We use HTTPS across our entire site.) Pretty much any website that requires you to log in and provide sensitive information will use HTTPS. If it doesn’t, don’t input any sensitive information.


HTTPS has a good reputation and is great for building trust and credibility with website visitors. The little padlock that comes with HTTPS sites lets users know they’re browsing a page that protects their personal information. 

Conversely, users will avoid HTTP sites, especially given that browsers like Chrome and Firefox warn them that these sites are not secure. This warning message leads to people leaving these sites, even if they don’t know anything about encryption. 


For those who run websites, HTTPS wins hands down when it comes to SEO (search engine optimization). Google rewards sites using HTTPS with a ratings boost on their search engine. That “Not Secure” message (or warning) Google Chrome slaps on HTTP sites is a surefire way to get people to run away from your site.


Can HTTPS be hacked?
Do phishing sites use HTTPS?
Can an attacker intercept HTTPS traffic?
Phone protected by ExpressVPN.
Protect your privacy with the best VPN

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
Welcome to my own little pocket of reality. Watch out for YouTube marathons about space and existentialism, Herbie Hancock humming sessions, and Timmy Trumpet duet sessions.