HTTP stands for Hypertext Transfer Protocol. When you enter HTTP:// in your address bar in front of the domain, it tells the browser to connect over HTTP. HTTP uses TCP over port 80, to send and receive data packets over the web.
Now, HTTPS stands for Hypertext Transfer Protocol Secure. When you enter HTTPS:// in your address bar in front of the domain, it tells the browser to connect over HTTPS. HTTPS also uses TCP to send and receive data packets, but it does so over port 443, within a connection encrypted by Transport Layer Security. It uses a public key which is then decrypted on the recipient side. The public key is deployed on the server, and included in what you know as an SSL certificate. The certificates are cryptographically signed by a Certificate Authority (CA), and each browser has a list of CAs it implicitly trusts.
Good news. Your information is safe. The website you are working with has made sure that no one can steal your information. Using HTTPS, the computers agree on a "code" between them, and then they scramble the messages using that "code" so that no one in between can read them. This keeps your information safe from hackers.
HTTPS was actually created by Netscape Communications back in 1994 to use in its Netscape Navigator web browser. HTTPS originally used the SSL protocol which eventually evolved into TLS.
HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems. Since 2018, HTTPS is used more often by web users than the original non-secure HTTP, primarily to protect page authenticity on all types of websites; secure accounts; and keep user communications, identity, and web browsing private.
The SSL layer serves for two main purposes:
- It is confirmed after using HTTPS that you are talking to the server directly that you are thinking of.
- It also ensures that the only server reads the data you sent over the network. No else can read it.
An SSL connection between client and server is established by handshake which focuses on below things:
- To make sure that the client is talking to the right server
- Both parties have agreed on a 'cipher' which includes which encryption they will use to exchange data.
- Both parties should agree to the key for this algorithm
As soon as the connection is established, both parties can use the agreed algorithm and keys to securely send messages to each other.
As of April 2018, 33.2% of Alexa top 1,000,000 websites use HTTPS as default, 57.1% of the Internet's 137,971 most popular websites have a secure implementation of HTTPS, and 70% of page loads use HTTPS, that measured by Firefox Telemetry.
The fact that most modern websites, including Google, Yahoo!, and Amazon, use HTTPS causes problems for many users trying to access public Wifi hotspots because a Wifi hotspot login page fails to load if the user tries to open an HTTPS resource. Several websites, such as neverssl.com or nonhttps.com, guarantee that they will always remain accessible by HTTP.