What’s the difference between HTTP and HTTPS?

Hypertext transfer protocol (HTTP) is a protocol or set of communication rules for client-server communication. When you visit a website, your browser sends a HTTP request to the web server, which responds with an HTTP response. The web server and your browser exchange data as plaintext. In short, HTTP protocol is the underlying technology that powers network communication. As the name suggests, hypertext transfer protocol secure (HTTPS) is a more secure version or an extension of HTTP. In HTTPS, the browser and server establish a secure, encrypted connection before transferring data.

How does HTTP protocol work?

HTTP is an application layer protocol in the Open Systems Interconnection (OSI) network communication model. It defines several types of requests and responses. For example, when you want to view some data from a website, you send the HTTP GET request. If you want to send some information, like filling out a contact form, you send the HTTP PUT request.

Similarly, the server sends different types of HTTP responses in the form of number codes and data. Here are some examples:

  • 200 - OK
  • 400 - Bad request
  • 404 - Resource not found

This request-response communication is usually invisible to your users. It’s the communication method that the browser and web servers use, so the World Wide Web works consistently for everyone.

How does HTTPS protocol work?

HTTP transmits unencrypted data, which means that information sent from a browser can be intercepted and read by third parties. This wasn’t an ideal process, so it was extended into HTTPS to add another layer of security to communication. HTTPS combines HTTP requests and responses with SSL and TLS technology.

HTTPS websites must obtain an SSL/TLS certificate from an independent certificate authority (CA). These websites share the certificate with the browser before exchanging data to establish trust. The SSL certificate also contains cryptographic information, so the server and web browsers can exchange encrypted or scrambled data. The process works like this:

  1. You visit an HTTPS website by typing the https:// URL format in your browser’s address bar.
  2. The browser attempts to verify the site’s authenticity by requesting the server’s SSL certificate.
  3. The server sends the SSL certificate that contains a public key as a reply.
  4. The website’s SSL certificate proves the server identity. Once the browser is satisfied, it uses the public key to encrypt and send a message that contains a secret session key.
  5. The web server uses its private key to decrypt the message and retrieve the session key. It then encrypts the session key and sends an acknowledgment message to the browser.
  6. Now, both browser and web server switch to using the same session key to exchange messages safely.

Read more about SSL/TSL certificates »

What’s the difference between HTTP/2, HTTP/3, and HTTPS?

The original HTTP version released in 1996–97 was called HTTP/1.1. HTTP/2 and HTTP/3 are upgraded versions of the protocol itself. The data transfer system’s been modified to make it more efficient. For example, HTTP/2 exchanges data in binary instead of textual format. It also allows servers to proactively transmit responses to client caches instead of waiting for a new HTTP request. HTTP/3 is relatively new but attempts to take HTTP/2 one step further. The goal of HTTP/3 is to support real-time streaming and other modern data transfer requirements more efficiently.

HTTPS prioritizes data security concerns in HTTP. Modern systems use HTTP/2 with SSL/TLS as HTTPS. As HTTP/3 matures, browser and server technology will eventually integrate it under HTTPS as well.

Why choose HTTPS over HTTP?

Next, we’ll discuss some benefits of HTTPS over HTTP.

Security

HTTP messages are plaintext, which means unauthorized parties can easily access and read them over the internet. In contrast, HTTPS transmits all data in encrypted form. When users submit sensitive data, they can be confident that no third parties can intercept the data over the network. It’s better to choose HTTPS to protect potentially sensitive information like credit card details or customers’ personal information.

Authority

Search engines generally rank HTTP website content lower than HTTPS webpages due to HTTP being less trustworthy. Customers also prefer HTTPS websites over HTTP. The browser makes the HTTPS connection visible to your users by placing a padlock icon in the browser’s address bar next to the website URL. Users prefer HTTPS websites and applications due to these additional security and trust factors.

Performance and analytics

HTTPS web applications load faster than HTTP applications. Similarly, HTTPS also tracks referral links better. Referral traffic is your website’s traffic from third-party sources like advertisements or social media backlinks. You must enable HTTPS if you want analytics software to identify your reliable traffic sources accurately.

Is HTTPS setup more expensive than HTTP?

HTTPS requires you to obtain and maintain an SSL/TLS certificate on your server. In the past, most certificate authorities would charge an annual fee for certificate registration and maintenance. However, that’s no longer the case.

There are many sources to obtain free SSL certificates. For example, at Amazon Web Services (AWS), we offer AWS Certificate Manager (ACM). ACM provisions, manages, and deploys public and private SSL/TLS certificates that you can use with AWS services and your internally connected resources. ACM removes the time-consuming manual process where you’d purchase, upload, and renew SSL/TLS certificates.

Summary of differences: HTTP vs. HTTPS

 

 

HTTP

HTTPS

Stands for

Hypertext Transfer Protocol

Hypertext Transfer Protocol Secure

Underlying Protocols

HTTP/1 and HTTP/2 use TCP/IP. HTTP/3 uses QUIC protocol.

Uses HTTP/2 with SSL/TLS to further encrypt the HTTP requests and responses

Port

Default Port 80

Default Port 443

Used for

Older text-based websites

All modern websites

Security

No additional security features

Uses SSL certificates for public-key encryption

Benefits

Made communication over the internet possible

Improves website authority, trust, and search engine rankings

How can AWS support your HTTPS requirements?

On this website, you can review AWS networking and content delivery services that support HTTPS and SSL/TLS by default. 

Amazon Lightsail lets you quickly build applications and websites with low-cost, preconfigured cloud resources. In addition, you can use Lightsail load balancers to build secure applications and accept HTTPS traffic. Lightsail makes it easier for you to request, provision, and maintain SSL/TLS certificates. The built-in certificate management requests and renews certificates on your behalf and automatically adds the certificate to your load balancer.

Amazon Cloudfront gives you three options for accelerating your entire website and delivers your content securely over HTTPS from all CloudFront edge locations. In addition to delivering securely from the edge, you can also configure the content delivery network (CDN) to use HTTPS connections for origin fetches. This means your data is secured with end-to-end encryption from your origin to your users.

Get started with HTTPS on AWS by creating a free account today.

Next Steps with AWS

Start building with Amazon Lightsail
Start building with Amazon Cloudfront