HTTP vs HTTPS: What difference does it make to security?

A close up of a browser window, showing the HTTPS protocol of a website in the URL bar
(Image credit: Shutterstock)

Looking directly at the two acronyms 'HTTPS' and 'HTTP', the first thing to point out is that the 'S' on the latter refers to an additional layer of security. Its full name is 'Hypertext Transfer Protocol Secure'. However, both HTTPS and HTTP are essential functions for businesses and there are more differences than just an initialism.

RELATED RESOURCE

Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space

FREE DOWNLOAD

HTTP, which stands for Hypertext Transfer Protocol, was developed in 1989 by Tim Berners-Lee, the father of the World Wide Web, no less. HTTPS came some five years later, thanks to Netscape Communications and its Netscape Navigator web browser.

What led to the development of HTTPS were calls for tighter privacy controls and more awareness around what makes a webpage 'secure'. Back in 2018, Google caused a bit of a stir by labelling HTTP as 'not secure', giving HTTPS the green light to become the web standard.

That, however, doesn't mean that your web surfing is completely safe on HTTPS. In 2021, 91.5% of all malware attacks were sent via HTTPS traffic, so there is still great risk here. So, to ward off these kinds of threats, businesses are advised to conduct HTTPS encrypted traffic inspections and engage in advance behaviour-based threat detection and response.

What are the benefits of HTTPS over HTTP?

Browsing with HTTP transmits data in plain text, which masks it for would-be hackers performing so-called 'man-in-the-middle' attacks where they attempt to intercept data while it's in transit.

HTTPS, on the other hand, works with public key encryption through SSL/TLS to prevent the same kind of hack.

A good example comes from web specialist Cloudflare: If a user sent the message "Hello World!", the unauthorized party would see that exact phrase and some additional information, such as the server or the time the text was entered.

With HTTPS, it would see something like the following:

't8Fw6T8UV81pQfyhDkhebbz7+oiwldr1j2gHBB3L3RFTRsQCpaSnSBZ78Vme+DpD....'

Additionally, for a website to have the SSL certificate that enables it to use HTTPS, the domain must be verified to check that it belongs to the website owner and in some cases, legal certificates must be presented to verify everything is in order.

Another benefit of using HTTPS is improved web rankings on Google, with only the most secure and authoritative sites getting featured on the first page.

How to switch from HTTP to HTTPS

If your business is still registered under an HTTP domain, you should consider making the switch to HTTPS. Even though it may seem like a big task to undertake, the process really isn’t that complicated, and there are plenty of benefits, from improving your business’ visibility on Google to thwarting man-in-the-middle attacks.

So, how exactly does one change to HTTPS? The first step is to get hold of your website’s hosting company. You should ask them to help you purchase an SSL certificate, which they should also help install. While you do so, ensure that you haven’t left behind any stray website links, otherwise, when you move away from HTTP, they could be left broken, cutting off customers from these pages altogether.

RELATED RESOURCE

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

FREE DOWNLOAD

After the SSL certificate is issued and installed, your website’s hosting company should be able to simply redirect any traffic from the old HTTP version of your website to the new HTTPS one.

In the situation where your website’s hosting company is being unhelpful for any reason, bear in mind that there is an abundance of third-party vendors which would be able to assist you in purchasing an SSL certificate. It might be worthwhile shopping around and weighing up the packages offered by various vendors. If your hosting provider is helpful, however, it’s undeniable that the easiest option is sticking with them, as the sheer number of alternative providers can be a lot to sift through.

You can also take matters into your own hands by manually installing the SSL on your FTP, although you will also need to remember to set up a redirect from the HTTP version of the site to HTTPS for the reasons mentioned above.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Jane holds an MA in journalism from Goldsmiths, University of London, and a BA in Applied Languages from the University of Portsmouth. She is fluent in French and Spanish, and has written features in both languages.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.