What is HTTPS?

Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP, the primary protocol used to send data between a web browser and a website. HTTPS is encrypted to increase the security of data transfer. This is particularly important when users transmit sensitive data by logging into a bank account, email service, or health insurance provider.

Any website, especially those that require login credentials, should use HTTPS. In modern web browsers such as Chrome, websites that do not use HTTPS are marked differently than those that do. Look for a padlock in the URL bar to signify the webpage is secure. Web browsers take HTTPS seriously; Google Chrome and others flag all non-HTTPS websites as insecure.

How does HTTPS work?

HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), formerly Secure Sockets Layer (SSL). This protocol secures communications by using an asymmetric public key infrastructure.

This type of security system uses two keys to encrypt communications between two parties:

• The private key - the website owner controls this key, and it’s kept private, as the reader may have speculated. This key lives on a web server and is used to decrypt information encrypted by the public key.
• The public key is available to everyone who wants to interact securely with the server. Information encrypted by the public key can only be decrypted by the private key.

Why is HTTPS important? What happens if a website doesn’t have HTTPS?

HTTPS prevents websites from having their information broadcast in a way that’s easily viewed by anyone snooping on the network. When information is sent over regular HTTP, the information is broken into packets of data that can be easily “sniffed” using free software. This makes communication over an insecure medium, such as public Wi-Fi, highly vulnerable to interception. All communications over HTTP occur in plain text, making them highly accessible to anyone with the correct tools and vulnerable to on-path attacks.

With HTTPS, traffic is encrypted such that even if the packets are sniffed or otherwise intercepted, they will come across as nonsensical characters. Let’s look at an example:

Before encryption,

This is a string of text that is completely readable

After encryption:

ITM0IRyiEhVpa6VnKyExMiEgNveroyWBPlgGyfkflYjDaaFf/Kn3bo3OfghBPDWo6AfSHlNtL8N7ITEwIXc1gU5X73xMsJormzzXlwOyrCs+9XCPk63Y+z0=

In websites without HTTPS, it is possible for Internet service providers (ISPs) or other intermediaries to inject content into webpages without the approval of the website owner. This commonly takes the form of advertising, where an ISP looking to increase revenue injects paid advertising into their customers' web pages. Unsurprisingly, when this occurs, the website owner keeps the profits from the advertisements and controls the quality of those advertisements. HTTPS eliminates the ability of unmoderated third parties to inject advertising into web content.

What port does HTTPS use?

HTTPS uses port 443. This differentiates HTTPS from HTTP, which uses port 80.

(In networking, a port is a virtual software-based point where network connections start and end. All network-connected computers expose several ports to enable them to receive traffic. Each port is associated with a specific process or service, and different protocols use different ports.)

How else is HTTPS different from HTTP?

Technically speaking, HTTPS is not a separate protocol from HTTP. It isimply usesTLS/SSL encryption over the HTTP protocol. HTTPS occurs based uontransmitting TLS/SSL certificates, which verify that a particular provider is who they say they are.

When a user connects to a webpage, it will send over its SSL certificate, which contains the public key necessary to start the secure session. The two computers, the client and the server, then go through a process called an SSL/TLS handshake, which is a series of back-and-forth communications used to establish a secure connection.

TRead about what happens in a TLS handshake todive deeper into encryption and the SSL/TLS handshake.

How does a website start using HTTPS?

Many website hosting providers and other services will offer TLS/SSL certificates for a fee. These certificates will often be shared amongst many customers. More expensive certificates can be individually registered to particular web properties.

All websites using Cloudflare receive HTTPS for free using a shared certificate (the technical term for this is a multi-domain SSL certificate). Setting up a free account guarantees a web property receives updated HTTPS protection. You can also explore our paid plans for individual certificates and other features. In either case, a web property receives all the benefits of using HTTPS.

Frequently Asked Questions For HTTPS

What is HTTPS and how does it work?

HTTPS is a protocol that encrypts your data as it passes from your browser to the server. HTTPS works by encrypting all data from your browser to the server it connects with - so if you want to send data over HTTPS, then all of it has to be encrypted before it gets sent on its way.

Why is HTTPS used more ?

It is used for secure communication between you and your website. It also prevents any other party from accessing it while you are browsing through a website.

What is the difference between HTTP and HTTPS?

The difference between HTTP and HTTPS is significant because it makes it more difficult for hackers to steal information from your website.
If you are using HTTP, they can easily see what you are doing on your website and how you are communicating with your clients.
If you use HTTPS, they will be unable to see what you are doing on your website and how you communicate with your clients. While this may not seem like a big deal at first glance, there are some significant implications for businesses that use HTTP-based websites.