Main content
Course: Computers and the Internet > Unit 4
Lesson 6: Secure Internet protocolsHTTP Secure (HTTPS)
When we browse the web, who can see what we're reading? Who can see the text we type into forms?
With standard HTTP, many people can: attackers intercepting packets, ISPs monitoring traffic, government agencies tapping into the fiber cables that make up the backbone of the Internet. Using well-known exploits, they can read the contents of every website and even inject their own contents.
That's why websites increasingly use HTTPS (Hypertext Transfer Protocol Secure) to protect the privacy of their users and prevent tampering. HTTPS is also known as HTTP over TLS, because it's implemented by encrypting HTTP requests and responses with the TLS protocol.
HTTPS URLs
An HTTPS connection starts with the URL in the address bar. Standard HTTP connections have URLs that start with "http://". Secure HTTP connections have URLs that start with "https://".
⬆ Take a look at the address bar now. You should see a URL that starts with "https://www.khanacademy.org/". If it starts with "khanacademy.org/", try double clicking the address bar to see the full URL.
Of course, most users will just type the domain, like "khanacademy.org". Savvy users might even type a URL like "http://khanacademy.org". When a website supports HTTPS and wants to make sure that all of its users are served a secure connection, it should redirect all requests to the HTTPS version of their site.
🔍 Try typing in a few URLs of your favorite sites in a new tab and inspect the final URL in the address bar once the website loads. Did any of them redirect to HTTPS? Are any of them using HTTP that you really wish would use HTTPS?
HTTPS connections
When the browser loads a URL that starts with "https", it begins the process of setting up a secure connection over TLS. (Need a refresher on the process? Review our TLS article.)
Early in that process, the browser must verify the digital certificate of the domain. There are many ways a certificate can be invalid, and browsers will often display certificate errors.
Here's what it looks like when Chrome discovers a certificate was issued by a certificate authority that it doesn't trust:
If the certificate is valid and everything else goes smoothly in the TLS setup, most browsers will display a lock in the address bar. That lock indicates a secured connection over HTTPS.
Here's the lock icon for Firefox:
Clicking that lock icon yields even more information about the site's security:
The benefits of HTTPS
An HTTPS connection ensures that only the browser and the secured domain see the data in HTTP requests and responses. Onlookers can still see that a particular IP address is communicating with another domain/IP and they can see how long that connection lasts. But those onlookers can't see the content of the communication, which includes the full URL path, the webpage HTML, and any text submitted in forms. Right now, an onlooker may know you're visiting khanacademy.org, but they don't know you're reading an article about HTTPS.
HTTPS also prevents tampering of website content. When a website is secured over a standard HTTP connection, the packets can be intercepted and their contents replaced. If an attacker or even a government agency intercepts visits to a news site, they can easily serve up fake news. TLS includes a mechanism to detect packet alterations, so HTTPS connections are resistant to tampering.
Many organizations believe that every website should serve all connections over HTTPS, due to the massive benefits. As of February 2019, around half of the top million websites use HTTPS by default. Will that ever reach 100%? You can help us get there by asking your favorite websites to use HTTPS or becoming a security-savvy web developer yourself.
🙋🏽🙋🏻♀️🙋🏿♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!
Want to join the conversation?
- Ummm…Can somebody explain the benefits of https easily?(8 votes)
- HTTPS is an extension of HTTP that allows for more secure network communication. HTTPS encrypts data in transit and helps to fend against both man-in-the-middle attacks and eavesdropping attacks.
https://en.wikipedia.org/wiki/Man-in-the-middle_attack
https://en.wikipedia.org/wiki/Eavesdropping#Network_attacks
The benefit is the increased security of the communication (HTTPS is used for the Internet, which billions of users interact with); if you send your credit card information across the Internet to an ecommerce website when making a purchase, you would want that information to be obscured for those attempting to intercept it. HTTPS helps you to achieve that obscurity.(14 votes)
- Can we manually set the browser to block all requests from a specific Website/Root CA?(7 votes)
- Yes, some browsers and devices allow you to set a custom list of trusted certificate authorities.(6 votes)
- What are the pros and cons of http/https?(4 votes)
- @Prodigy6 said the pros. I'll say the cons.
HTTPS is slower, and uses more energy. Because of the initial RSA, it also uses more memory(7 votes)
- How does http/https have anything to do with TLS? Because I think the article said that with https, you are on a TLS connection.(1 vote)
- With HTTP you are just sending standard HTTP requests and getting standard HTTP responses. With HTTPS you are implementing the TLS protocol on top of TCP/IP - meaning if the url has https at the start - you have that extra layer of security (which is TLS).(6 votes)
- Are there any other secure protocols that have been widely adopted over the net?
Also are there others that are even more secure that might be used for things like secure government communications? Or is RSA and TLS the best encryption that we have right now?(1 vote)- Yes, there are other secure protocols, such as SSH (Secure Shell) which is used for things like remote logins and command line execution.
The government likely uses many of the same protocols that we do. It very well might have special protocols it has developed to be more secure as well, but I doubt the specifics of such would be publicly accessible information.
By the way, RSA is a specific type of encryption, while TLS is a cryptographic protocol used to establish a secure line of communication.(2 votes)
- can you exolan please(1 vote)
- What are cookies used for(1 vote)
- Cookies track your activity in order to make your website experience more personalized and fitting to your wants and needs.(1 vote)
- what are benefits of HTTPS(1 vote)
- HTTPS means that the data is encrypted and is a lot harder to intercept. never put personal info in on a site with just HTTP(1 vote)
- What happens if they know that we are doing HTTP in Khan Acadamy(1 vote)
- Does having a HTTPS means the website is valid and legitimate? In other words, does that little lock indicates that you can trust the website to provide them information?(1 vote)
- Having an HTTPS connection simply indicates that you have a secure connection to the indicated website. It does not guarantee that the website is trustworthy or imply that you should provide it with personal information.(1 vote)