Introduction to HTTP/HTTPS
The HTTP protocol stands for Hyper Text Transfer Protocol, which is the protocol used to transfer hypertext from web servers to local browsers on the World Wide Web.
HTTP is based on the TCP/IP communication protocol for transmitting data (HTML files, image files, query results, etc.).
The HTTPS protocol stands for HyperText Transfer Protocol Secure, a protocol used for secure communication over a computer network.
HTTPS communicates via HTTP but uses SSL/TLS to encrypt data packets. The main purpose of HTTPS is to provide authentication of the website server and protect the privacy and integrity of exchanged data.
HTTP URLs start with http:// and use port 80 by default, while HTTPS URLs start with https:// and use port 443 by default.
HTTP Working Principle
The HTTP protocol operates on a client-server architecture.
Browsers, acting as HTTP clients, send all requests to web servers via URLs.
Web servers include Apache servers, IIS servers (Internet Information Services), etc.
After receiving requests, web servers send response information back to the client.
The default port number for HTTP is 80, but it can be changed to 8080 or another port.
Three Key Points about HTTP:
HTTP is connectionless: Each connection processes only one request. After the server processes the client's request and receives the client's response, the connection is disconnected, saving transmission time.
HTTP is media independent: Any type of data can be sent over HTTP as long as both the client and server know how to handle the data. The appropriate MIME-type content type is specified by the client and server.
HTTP is stateless: The HTTP protocol is a stateless protocol. Lack of state means the protocol does not retain information about transaction processing. If subsequent processing requires previous information, it must be resent, which can increase the amount of data transmitted. On the other hand, when the server does not need previous information, its response is faster.
The following diagram illustrates the HTTP protocol communication flow:
Role of HTTPS
The main function of HTTPS is to create a secure channel over an insecure network, providing reasonable protection against eavesdropping and man-in-the-middle attacks when using appropriate encryption packages and verified server certificates.
HTTPS trust is based on certificate authorities (CA) pre-installed in the operating system.
Therefore, an HTTPS connection with a website is only trustworthy under the following conditions:
The browser correctly implements HTTPS and the operating system has correctly installed and trusted certificate authorities.
Certificate authorities only trust legitimate websites.
The accessed website provides a valid certificate, issued by a certificate authority trusted by the operating system (most browsers issue warnings for invalid certificates).
The certificate correctly verifies the accessed website (e.g., accessing https://www.tutorialpro.org receives a certificate issued to www.tutorialpro.org, not another domain).
The encryption layer (SSL/TLS) of this protocol effectively provides authentication and high-strength encryption.
Browsers like Google Chrome, Internet Explorer, and Firefox issue warnings when a website contains mixed content of encrypted and unencrypted elements.
HTTP links are displayed as insecure:
HTTPS links are displayed as secure: