HTTP vs. HTTPS: Definition, Comparison & Security Implications

HTTP is the hypertext transfer protocol that enables a browser (like your computer's) to get resources from a server (like a website's). HTTPS is a secure form of this protocol that blocks some types of activities from hackers. 

Of the top 100 sites as ranked by Google, 90 default to HTTPS. The resistant ten will likely make the switch as security and privacy grow even more important to consumers and businesses.

Difference between HTTP and HTTPS 

Browsers and servers rely on a shared protocol to connect and communicate with one another. That protocol is HTTP, which stands for the hypertext transfer protocol. 

The protocol is stateless, meaning that it connects as soon as something asks it to do so. You don't need to jump through hoops or do anything special to make it work. In fact, you probably used HTTP to get to this page. 

When you type in a website address, whether you tap the "http" letters in or not, your device uses the protocol to chat up the destination server. A series of "get" requests through HTTP protocols allow your device to ask for all the pieces it needs to load a web page. 

The HTTP protocol is the internet's foundation, but users quickly learned that their communication wasn't secure. In the 1990s, developers created the HTTPS protocol, which builds on the benefits of its predecessor. 

The HTTPS protocol has three important additions:

  1. Encryption: At the start of a connection, your browser and a server set session keys to protect data in transit. 
  2. Authentication: Users get assurances that they're truly connecting with the server they requested. 
  3. Protection: Data can't be altered in transit. 

Originally, people only used HTTPS for sensitive transactions, including those involving money. But now, people use it for almost everything. 

Security is the main difference between HTTP vs. HTTPS. If you're not using the newer version of the protocol, any data you give a website (such as your password or Social Security number) is exposed and readable by hackers. Similarly, hackers could alter anything you do on a site without your knowledge, or you could connect to the wrong site altogether. 

HTTP vs. HTTPS: advantages and limitations

As a website owner or manager, you have the choice to implement the newer HTTPS protocol or stick with the older HTTP protocol. 

Advantages of HTTP include:

  • Ease of administration. You don't need a fancy certificate or proof of ownership to get started. You can set up your site and start right away. 
  • Familiarity. If your website is older, you've probably used the HTTP protocol. If you dislike the idea of changing anything that's working, you may resist the switch. 
  • Site equity. To implement HTTPS, you'll need to redirect all of your old web pages to the new versions. That could have (subtle) implications for your visibility in search engines. 

Limits of HTTP include:

  • Lack of privacy. As we've mentioned, this model completely exposes traffic. 
  • Poor performance. Search engines like Google use HTTPS as a ranking signal. Even if your site is old and has plenty of equity, your new pages may not rank highly on a search engine results page unless they use HTTPS. 
  • Consumer disappointment. Savvy consumers demand secure conversations. That's why companies have built tools like HTTPS Everywhere. These extensions for Firefox, Chrome, and Opera will block the loading of any site that doesn't use HTTPS. 

Advantages of HTTPS include:

  • Enhanced security. Visitors to your site can exchange data with confidence. 
  • Compliance. If your site accepts sensitive information (such as credit card data), your regulatory environment may require you to use HTTPS. 
  • Global assistance. If sites with small amounts of sensitive data are protected, their work helps more sensitive sites too. Improved security on every site dissuades hackers from continuing their work. 

Disadvantages of HTTPS include:
 

  • Technical know-how. You will need to know basic coding (or hire someone that does) to migrate your site from one protocol to another.
  • Renewing paperwork. You must attain a certificate of ownership and keep it current to ensure your site stays online. Skip those steps, and your site could go down.

Switching from HTTP to HTTPS 

As a website owner, it's your responsibility to keep your visitor data safe and secure. And most organisations face intense pressure to migrate their sites to the new protocols to keep the global internet environment safe. 

But switching from HTTP to HTTPS isn't as simple as flicking a switch. It requires three steps:

  1. Certification: You must get a trusted certificate that proves you're the owner of the website. Sites like Let's Encrypt allow you to get and configure that certificate. And renewals are automatic. 
  2. Programming: You must install that certificate on your site (or ask your hosting company to do that for you). Then, you must redirect all of your HTTP pages to the new HTTPS versions. 
  3. Notification: Everyone who uses your site (including your marketing and sales teams) must understand that you're doing something new. They must always use the HTTPS address when they're linking to your site or talking about it. You must also notify search engines like Google that you've changed your site. (On Google, you can do this through Google Search Console.)

Your site must render all of your pages via HTTPS. Mixing between the two protocols can leave your site open to both active and passive attacks. Some developers place sensitive pages (such as login screens) within HTTPS, but they allow the rest of the page to render via HTTP. This isn't wise. 

Do you want to know more about how websites load? Read our blog about the Domain Name System

References

HTTPS Encryption on the Web. Google. 

How Let's Encrypt Doubled the Internet's Percentage of Secure Websites in Four Years. (November 2019). University of Michigan. 

HTTPS as a Ranking Signal. (August 2014). Google. 

HTTPS: Everywhere. Electronic Frontier Foundation. 

Why HTTP for Everything. Federal Chief Information Officers. 

About Let's Encrypt. Let's Encrypt. 

How to Deploy HTTPS Correctly. (October 2020). Electronic Frontier Foundation.