If you’re a veteran internet user, you’ll remember a time when you had to type “http://” into your browser before every web address to load and access a certain site. These days, our browsers add this protocol automatically—however, most websites now use HTTPS instead of HTTP.
For example, take a look at your browser’s address bar—the place where it says “expressvpn.com/blog/”. Now, click on it twice. You should see a little padlock icon alongside the “https://” at the beginning of the URL.
These two elements signal that your connection to our site is encrypted and secure, and that your sensitive information such as credit card numbers and login details are protected.
So, what’s the difference between HTTP and HTTPS, and why do websites sporting HTTP replace that reassuring little padlock with a “Not secure” message? Let’s find out.
What is HTTP?
HTTP stands for Hypertext Transfer Protocol. It’s what enables web browsers and servers to communicate with the internet.
It works by sending requests and receiving responses. When you want to interact with a web page, your browser sends an HTTP request. This request is sent to the host server, which then answers your browser’s HTTP request by generating an HTTP response. However, there’s a major problem with HTTP.
While HTTP is essential for browsing, it does nothing to prevent personal information from being leaked online as it lacks any form of encryption. This is because all data communicated via HTTP is sent and received as plain text, meaning that it can be intercepted and read by anyone who’s looking, including criminals.
For example, if you log into a website that uses HTTP, it’s very easy for someone to see your login details as this data isn’t encrypted.
So, while HTTP used to be the standard, it’s now being shunned by websites because it’s not considered safe. This is where that extra S in HTTPS comes in.
What is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) is a more secure version of HTTP. It uses the same requests and response systems as HTTP, but with the addition of an encryption protocol known as TLS (Transport Layer Security)—the successor to the SSL (Secure Sockets Layer) protocol.
This end-to-end encryption ensures that a user’s sensitive data—such as banking details, usernames, passwords, or credit card information—can’t be leaked online. Therefore, it’s essential that any website that requires login details should use HTTPS.
For a website to get an HTTPS certificate, it needs to be checked by a Certificate Authority (CA). Your browser recognizes this certificate in the form of a little padlock—as seen in the example above. As a general rule, you can click on the icon next to any web address in your browser to find out more information about its certificate, or the lack thereof.
How does HTTPS encryption work?
TLS uses public key encryption to secure communication between your browser and the host server. There are two keys—a public key and a private key:
Public key: As its name implies, this key is available to anyone interacting with the server hosting the site you’re trying to access. The public key encrypts information about your interactions with the website—info that only the private key can decrypt.
Private key: This key is controlled by the owner of the website that you’re trying to access, and resides on its server. It is kept private and used to decrypt the information encrypted by the public key.
Before data transfer takes place, your browser and the host server need to perform an SSL/TLS handshake. This handshake is needed in order to establish a secure connection.
Differences between HTTP and HTTPS
HTTPS is far more secure than HTTP. The latter doesn’t encrypt the connection between your browser and the host server. Every time you interact with a web page using HTTP, your activity can be seen by anyone interested in gathering that information—including hackers and your internet service provider.
While the encryption of HTTPS makes it slightly slower than HTTP, content on HTTPS sites will likely load faster than the same content over HTTP. One reason (of several) is with HTTP, the page loads one element at a time over, whereas multiple elements can load at the same time over HTTPS.
HTTP has mostly been phased out across the internet, although it can still be found on small blogs and even online shops. (Not on ExpressVPN Blog, of course. We use HTTPS across our entire site. In fact, the ExpressVPN browser extension for Chrome, Firefox, and Edge includes HTTPS Everywhere, which will automatically help you choose HTTPS if a site uses both protocols.) Pretty much any website that requires you to log in and provide sensitive information will use HTTPS. If it doesn’t, don’t input any sensitive information.
HTTPS has a good reputation and is great for building trust and credibility with website visitors. The little padlock that comes with HTTPS sites lets users know they’re browsing a page that protects their personal information.
Conversely, users will avoid HTTP sites, especially given that browsers like Chrome and Firefox warn them that these sites are not secure. This warning message leads to people leaving these sites, even if they don’t know anything about encryption.
For those who run websites, HTTPS wins hands down when it comes to SEO (search engine optimization). Google rewards sites using HTTPS with a ratings boost on their search engine. That “Not Secure” message (or warning) Google Chrome slaps on HTTP sites is a surefire way to get people to run away from your site.
FAQ: About HTTP and HTTPS
Can HTTPS be hacked?
Yes. While HTTPS enhances the security of websites, it doesn’t fully protect them from getting hacked. There are other vulnerabilities hackers can exploit, so it’s important to know that HTTPS is just one line of defense when it comes to website security. Even with HTTPS, there’s a risk of manipulator-in-the-middle and downgrade attacks, such as in cases where attackers trick your browser into connecting to the wrong endpoint or into reverting back to HTTP. These are reasons to use a VPN even when visiting HTTPS sites.
Do phishing sites use HTTPS?
Phishing sites come in all forms and could very well use HTTPS. They leverage the authority and trust that https:// and its padlock bring to lull people into a false sense of security. They think the website is safe and legit, while in fact, it’s just a phishing site trying to steal their information. While an HTTPS certificate ensures that no one else can see what you’re doing while you’re on the site, your details can still be stolen by the site itself, if it’s malicious.
Can an attacker intercept HTTPS traffic?
Yes. HTTPS is just one way to increase your security, but there are still risks. Some of the ways your traffic can be intercepted even with HTTPS are via malware on your device or via firewall rules on a site that redirect network traffic to the hacker.
Protect your privacy with the best VPN
30-day money-back guarantee