HTTPS vs HTTP: What difference does it make to security?

A close up of a browser window, showing the HTTPS protocol of a website in the URL bar
(Image credit: Shutterstock)

HyperText Transfer Protocol (HTTP) and HyperText Transfer Protocol Secure (HTTPS) are both communication protocols that form the foundation of the modern internet, allowing for the transfer of data between network-connected devices.

HTTP was developed in 1989 by the father of the World Wide Web, Tim Berners-Lee. HTTPS came some five years later, thanks to Netscape Communications and its Netscape Navigator web browser, offering a more secure version of the protocol.

Calls for more stringent controls on privacy led directly to the creation of HTTPS, and more awareness around what makes a webpage 'secure'. These discussions came to a head in 2018, when Google made the headline-grabbing decision to label HTTP as 'not secure'.

This gave HTTPS the green light to become the web standard it is today.

HTTPS vs HTTP: The key differences

Both HTTP and HTTPS are communication protocols used to transfer data between devices connected to a network, typically a user's device and a web server. HTTP is considered the foundation of the modern internet, and is categorised as being part of the application layer of the TCP/IP framework. HTTP network traffic is routed through port 80 by default, while HTTPS uses port 443.

The key difference between HTTPS vs HTTP is that HTTP transfers data using plain text, while HTTPS obfuscates this traffic using public key encryption via the secure sockets layer (SSL) and transport layer security (TLS). In this way, HTTPS can help prevent would-be hackers from targeting victims with so-called 'man-in-the-middle', attacks where they attempt to intercept data while it's in transit.

Any sensitive information being transferred using the HTTP protocol, such as passwords or financial information, could be monitored by hackers through these attacks, with potentially devastating consequences for businesses and consumers alike.

That isn’t to say that all web activity performed over HTTPS is completely safe. In Q2 2023, 95.6% of all malware was found behind the kind of encrypted layer used for HTTPS, according to WatchGuard research. To handle the threat landscape, businesses are often told to inspect their HTTPS traffic.

In order to gain an SSL certificate to enable HTTPS, a verification check is performed on all domains linked to the current owner, in some cases legal certificates may be requested to confirm all is as expected.

Another benefit of using HTTPS is improved web rankings on Google, with only the most secure and authoritative sites getting featured on the first page.

Are there any downsides to using HTTPS?

In order to obtain an SSL certificate, firms are required to pay a sum to a trusted vendor. This is typically charged annually and could be difficult for the smallest businesses to pay. However, the fee is a small burden in light of all the security benefits of HTTPS.

Another potential downside of HTTPS is that the encryption and decryption of data can be a slow process, which can lead to slightly longer webpage waits than is ideal. Again, however, this does not outweigh HTTPS' security benefits in the long term.

According to Google, 95% of websites that were found through the platform used HTTPS over HTTP in September 2023. It is clear that a small minority of HTTP websites still exist, but they are already outdated in their approach to security.

How to switch from HTTP to HTTPS

If your business is still registered to an HTTP domain, it’s worth looking into adopting HTTPS. Although it could seem a complex undertaking, the process is actually quite straightforward and benefits are quick to materialize, from improving your business’ visibility on Google to stopping would-be attackers in their tracks.

The first step is to get hold of your website’s hosting company. You should ask them to help you purchase an SSL certificate, which they should also help install.

While you do so, ensure that you haven’t left behind any stray website links, otherwise, when you move away from HTTP they could be left broken and remove these pages from customer view altogether.

RELATED RESOURCE

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

FREE DOWNLOAD

After the SSL certificate is issued and installed, your website’s hosting company should be able to simply redirect any traffic from the old HTTP version of your website to the new HTTPS one.

If your website’s hosting company is unwilling or unable to comply for any reason, there is also a wide range of third-party vendors that would be able to assist you in purchasing an SSL certificate. 

You can also take matters into your own hands by manually installing the SSL on your file transfer protocol (FTP), although you will also need to remember to set up a redirect from the HTTP version of the site to HTTPS for the reasons mentioned above.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.