HTTP vs. HTTPS: One little letter can make a lot of difference.

Brand Barney, Security Analyst, SecurityMetrics
By: Brand Barney
If you’ve never paid attention to the browser URL while surfing the Internet, today is the day to start. At the prefix of each website URL, you’ll usually see either HTTP or HTTPS. One shows the site you are on is secure (HTTPS), and the other does not (HTTP).

What is HTTP?

Hypertext Transfer Protocol (HTTP) is the way servers and browsers talk to each other. It’s a great language for computers, but it’s not encrypted. Think of it this way. If everyone in the world spoke English, everyone would understand each other. Every browser and server in the world speaks HTTP, so if an attacker managed to hack in, he could read everything going on in the browser, including that Facebook username and password you just typed in.

Hypertext Transfer Protocol Secure (HTTPS) is another language, except this one is encrypted using Secure Sockets Layer (SSL). Imagine if everyone in the world spoke English except two people who spoke Russian. If you happened to overhear them speaking in Russian, you wouldn’t understand them. It’s the same with HTTPS. If browsers use HTTPS to pass information, even if attackers manage to capture the data, they can’t read the information.

Does that mean HTTP websites are insecure?

The answer is, it depends. If you are just browsing the web, looking at cat memes and dreaming about that $200 cable knit sweater, HTTP is fine. However, if you’re logging into your bank or entering credit card information in a payment page, it’s imperative that URL is HTTPS. Otherwise, your sensitive data is at risk.

Watch the video response to this question below.

HTTPS is specific to the page you’re on. It’s not universal to a website.
So it doesn’t really matter if the homepage of your favorite sweater website says HTTPS if their payment page doesn’t.

SEE ALSO: The Ultimate Cheat Sheet on Making Online PCI Compliance Work for You

When HTTPS fails

HTTPS isn’t entirely 100% foolproof, as the Heartbleed vulnerability proved in April 2014. The Heartbleed vulnerability wasn’t necessarily a weakness in SSL, it was a weakness in the software library that provides cryptographic services (like SSL) to applications. Still, it is estimated that half a million secure web servers were affected. Luckily, most websites have since corrected that bug.

For a more complex look into how hackers use HTTP to capture data, check out this video.

How can I make sure information stays secure?

  • As a business: Work with a third party vendor to get an SSL certificate on your login and payment pages.
  • As a consumer: Don’t enter your sensitive information on pages that don’t have HTTPS. No matter how much you want that sweater, compromised information isn’t worth it!
Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.