What is HTTPS? How do HTTP and HTTPS protocols work?

If you are new to the world of managing a website or blog, words such as HTTP and HTTPS might confuse you. So, this article starts with the very basics such as "what is HTTPS". If you are already there on the scene for long but have ignored implementing HTTPS on your website or blog, you better brush up your knowledge and install HTTPS on your website without losing time.

For easy understanding, I have broken this article into sections. You can jump to a section by clicking on the link here:
     

WHAT IS HTTPS


HTTPS is a secure way of transmitting data between a website and a web browser.

The first expression in any web address or URL is http:// or https://. Even if the browser at times does not show this, it is there, hidden from our view.
 
Websites (static websites, portals, blogs, forums, social media entities are all different forms of websites) can be seen on the browsers of our devices because of a technical protocol (=a set of norms that are well established and which are followed by all) called Hypertext Transfer Protocol or HTTP.
 
When you want to open a website, you either type out its URL or click on a link to that website. Your web browser instantly checks the website's basic information. If it finds that the website is following HTTP protocol, it sends a request to the website server for data. After a technical handshake, the data is provided to your web browser and the website opens on your device.
 
After some years of existence with HTTP, it was found that hackers and criminals can exploit the communication between the visitor's browser and the website's server, thus getting entry into the server, stealing data, pushing malicious data, and so on. Spy agencies and government-owned surveillance tools can intercept the communication with even greater efficiency as they have very powerful tools.
 
Different ways were (and are constantly being) devised to check this exploitation. One of the most important ways for securing communication or data transfer on the web is the introduction of HTTPS, a protocol that is essentially HTTP and has an S (=secure) layer attached to it. Thus, the communication between the two computers has to pass through a sort of security gate where the gatekeeper (security layer) checks the ID of the message and the website.

If you need a more elaborate definition of HTTP, here is how Webopedia defines HTTPS:
HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.



What is SSL?

HTTPS happens because of a piece of software (= security layer, security certidicate) that acts as gatekeeper for a domain/ website. The software is issued by a Certification Agency. We are discussing how to get a SSL certificate from a Certification Agency in a section below.

SSL (Secure Sockets Layer) is the most common security layer or certificate to secure a website from unwanted elements capturing the website's communication and data transfer. SSL is nothing but a certificate or a piece of software installed on the server where the website is located. TLS (Transport Layer Security) is a more recent certificate and it takes care of some vulnerabilities found in SSL. For the sake of uniformity, I will refer to both as SSL in this article.
 



How does HTTPS work?

When you enter a URL on your web browser, a communication is generated by your web server. It looks for the URL over the www through the internet, and when it finds the target server, it requests the server to pass on the information so that the website can be displayed in the web browser.  In case of HTTPS-enabled sites, this bit of request faces SSL or TLS software before further action takes place. The SSL certificate information gets passed on to the browser on which the URL was typed. The browser checks whether the certificate is trustworthy. After verification of the certificate, there is a 'handshake' between the web server and the browser - now all the data flow between the two ends during that session happens through encryption.

What follows from the above [highly simplified] discussion is that there is a security certificate at the gate of the website and there is a database of valid certificates in the browser (browsers keep updating their list of valid certificates). So, if the certificate is not valid or is corrupted, the browser will not open the website but issue a warning to the user that the website is not secure.
 
For some years now, browsers have been popping up a security warning, even if a non-HTTPS website is genuine and safe because the genuineness of the website does not guarantee that the communication between it and a web browser will be secure. When the security setting of a browser is set to maximum, such sites do not open at all.



Types of HTTPS

HTTPS prefix is a stamp that there is a SSL/ TLS certificate at the gate of the website. But it does not tell about the strength of the security the certificate provides. Certification Agencies (CAs) issue different types of certificates to cater to different levels of security. The higher level of security you demand, the costlier the certificate is.

Before issuing a certificate, the CA carries out certain security checks (=validations) for the website and the website owner, as follows:
  • When the CA only verifies the domain before issuing a certificate, it is called Domain-Control Validation (DV). As you would expect, this is the lowest level of security certificate. The CA, in this case, tells the web browser of the user: "I have checked the domain of this website. The domain is an actual domain and not a duplicate or fake or phishing domain. The data flow between this website and a web browser will be encrypted and secure." So, a domain can have this certificate even if it belongs to a criminal or fraudster.
  • In the next level of security check, the CA checks whether the organization or individual behind the website/ domain is genuine. This is called Organization Validation (OV).
  • When the website/ domain needs the strongest level of security, it would install Extended Validation (EV) certificate. In that case, the CA makes rigorous checks of the owner's identity. Only a highly trustworthy owner can get such a security certificate. Banks and other websites that deal with money and online transactions must have this level of security.
See the picture below. It shows how Google Chrome's address bar shows 4 different types of security levels (HTTP only and three HTTPS levels). The lower portion in each case is the small window that opens after clicking on the lock before the URL. (Other web browsers have more or less similar ways of depicting the level of HTTPS security.)

what is HTTPS

The first URL shown above belongs to a domain with HTTP, not HTTPS prefix. Look at the lock before the URL: it has been crossed. The second one has HTTPS certificate and therefore there is a lock preceding the URL, but some entities (e.g. images) on the website are not contained behind HTTPS security, so it gives a warning. The third URL is a common website with HTTPS security. The fourth one belongs to a bank's website. It has a lock as well as the name of the verified owner.

To make things clear again: if an HTTPS-enabled website has SSL/ TLS certificate with only domain validation, the domain can be trusted as genuine but its owner could himself be of doubtful credentials. So, sites with HTTPS certification of the first type could still be malicious. Moreover, criminals could use HTTPS-enabled websites, such as blogs, where third-party content is allowed. 

There could also be rogue or corrupted certificates getting issued or the same certificate getting used for a good and many bad sites. Some such cases have appeared in the press.

So, for confidential/ monetary transactions, you must be sure that the website uses a higher level of certification - seen with padlock. and company's name before the URL. Do not share confidential information such as credit card CVV on websites that do not have the top level security.



How to install SSL certificate on your website?

As explained above, for HTTPS security on your website, you need to get an SSL certificate. Most Certification Agencies give it at a price, and some have started giving the DV level of certificate free too.
 
An SSL certificate also comes bundled with expensive web hosting packages. On base level packages, even if they provide HTTPS free, it usually becomes a paid certificate when you renew the hosting plan.

For getting HTTPS, you have to apply for the certificate, and after some formalities and checks, the Certification Agency gives you the desired certificate. It involves installing the certificate on the web server where the website is hosted. On every web host platform, there is a straightforward procedure to install the certificate. 

The certificate needs to be renewed periodically.

LetsEncrypt is a fully-dependable FREE SSL certificate. For a normal website (on which you do not do monetary transactions or share confidential details), this basic certificate is good enough.

By the way, if your blog is on Wordpress, Blogger, Tumblr or Medium free blogging platform, you need not bother about HTTPS security. On Wordpress, etc it comes automatically while on Blogger, there is an option to go for HTTPS (Go to Settings> HTTPS Redirect).