The difference between HTTP and HTTPS
When you open a website, the browser and server exchange data.
The basic mechanism used for this Web exchange is HTTP. And the mechanism for performing HTTP communication safely is HTTPS.
HTTPS is not simply "a mechanism for encrypting communication content." What matters is that it makes it easier to prevent eavesdropping, tampering, and impersonation by third parties along the communication path.
For that reason, the following three points are especially important in HTTPS.
- Make communication content harder to read in transit
- Make communication content harder to tamper with in transit
- Make it easier to confirm that the party you are communicating with is the intended party
In other words, HTTPS is a very important mechanism as a countermeasure against man-in-the-middle attacks.
However, HTTPS is not an anonymization technology. Even when HTTPS is used, access still reaches the destination website. Also, the source IP address, cookies, login state, access logs, and similar information remain separate issues.
This article organizes the difference between HTTP and HTTPS, what HTTPS protects, and what may still be visible even with HTTPS.
What HTTP is
HTTP is a communication protocol for exchanging data on the Web.
When you open a website in a browser, the browser sends a request to the server. For example, it requests things like "Please send this page's HTML" or "I want to retrieve this image."
The server returns data such as HTML, images, CSS, and JavaScript in response to that request.
HTTP is the mechanism used for this kind of request-response exchange between browser and server.
HTTP itself is fundamental to Web communication. However, HTTP alone has no mechanism for protecting communication content.
With HTTP, communication content is not encrypted. For that reason, a third party on the communication path may be able to read the content, rewrite it, or act as a fake counterpart.
| HTTP weakness | Description |
|---|---|
| Weak against eavesdropping | Because communication content is not encrypted, there is a risk that it can be read in transit |
| Weak against tampering | Page content or submitted content may be rewritten during communication |
| Weak against impersonation | It is hard to confirm that the communication partner is truly the intended server |
For example, if you submit a password through an HTTP login form, that password may be seen during communication. There is also a risk that the content of a page loaded over HTTP could be rewritten in transit and a fake input form or malicious script inserted.
HTTP is the foundation of Web communication, but as-is it has major security problems.
What HTTPS is
HTTPS is a mechanism for carrying HTTP communication inside a secure communication channel.
More precisely, HTTPS uses HTTP on top of a secure communication layer called TLS. This article does not cover the detailed mechanism of TLS, but for understanding HTTPS it is easiest to think of it as "protecting HTTP communication content with TLS."
The following three points are important in HTTPS.
| Element | Role | Description |
|---|---|---|
| Encryption | Make communication content harder to read | Prevent a third party in transit from reading passwords or form contents as-is |
| Tamper detection | Make it possible to notice rewriting of communication content | If data is changed in transit, make it harder to accept it as valid communication |
| Communication partner verification | Confirm whether you are communicating with the intended party | Use certificates and similar mechanisms to confirm that the destination server is legitimate |
The strength of HTTPS is that these three are combined.
Encryption alone is not enough. For example, even if communication content is encrypted, if an attacker can act as a fake server and make the user connect to that fake server, it cannot be called safe.
For that reason, HTTPS uses mechanisms not only to protect communication content, but also to confirm that the party being communicated with is the intended website.
The difference between HTTP and HTTPS
The difference between HTTP and HTTPS is not only the visible difference of whether the URL is http[:]// or https[:]//.
With HTTP, communication between the browser and server is not protected. With HTTPS, a secure communication channel is created between the browser and server, and HTTP exchanges happen inside it.
| Item | HTTP | HTTPS |
|---|---|---|
| URL beginning | http[:]// | https[:]// |
| Communication content encryption | Not encrypted | Encrypted |
| Protection against eavesdropping on communication content | Weak | Strong |
| Protection against tampering with communication content | Weak | Easier to detect tampering |
| Communication partner verification | Basically weak | Uses certificates and similar mechanisms for verification |
| Resistance to man-in-the-middle attacks | Low | High |
| Anonymization | Not provided | Not provided |
Understanding HTTPS as "HTTP with encryption added" is a little insufficient. More accurately, it is a mechanism that wraps HTTP communication in a secure communication channel and makes eavesdropping, tampering, and impersonation harder.
What a man-in-the-middle attack is
A man-in-the-middle attack is an attack in which a third party inserts itself between the browser and server, then eavesdrops on communication, rewrites it, or acts as a fake counterpart.
Even if the user thinks they are accessing the real website, an attacker in the middle of the communication may be seeing the content. The attacker may also rewrite communication content and insert a fake login form or malicious code.
HTTP is weak against this kind of attack.
With HTTPS, communication content is encrypted, tampering is detected, and the communication partner is verified. This makes it harder for a man-in-the-middle attack to succeed.
| What the attacker wants to do | With HTTP | With HTTPS |
|---|---|---|
| Read communication content | There is a risk it can be read | It is difficult to read as plaintext |
| Steal a password by eavesdropping | High risk | Harder to eavesdrop on during communication |
| Rewrite page content | There is a risk it can be rewritten | Tampering is easier to detect |
| Make the user connect to a fake server | Hard for the user to notice | Easier to prevent through certificate verification |
| Impersonate the communication partner | Relatively easy | Difficult without a legitimate certificate |
This is the essence of HTTPS.
It is important not only that "communication content is encrypted," but also that it can confirm "whether content has been rewritten in transit" and "whether the party being communicated with is the intended party."
What HTTPS protects
The main thing HTTPS protects is the HTTP communication content flowing between the browser and server.
For example, HTTPS makes the following kinds of information harder to read during communication.
| Protected item | Description |
|---|---|
| Password | A password entered into a login form becomes harder to read in transit |
| Form input content | Names, email addresses, inquiry contents, and similar content become harder to read in transit |
| Page content | Displayed page content becomes harder to read or tamper with in transit |
| Request content | Content sent from the browser to the server is easier to protect |
| Response content | Content returned from the server to the browser is easier to protect |
| Cookies sent and received during communication become harder to eavesdrop on in transit |
Passwords and cookies are especially important.
Cookies may be used to maintain login state or identify users. If a cookie is stolen during communication, in some cases there is a risk that someone could access the site while impersonating the user.
With HTTPS, cookies are also sent inside the encrypted communication channel, so they become harder to eavesdrop on during communication.
However, using HTTPS does not solve every cookie-related problem. How cookies are stored, site-side settings, the browser environment, device security, and similar issues remain separate problems.
Even with HTTPS, content reaches the destination server
HTTPS protects content from third parties in transit. It is not a mechanism for hiding content from the destination website.
For example, if you enter a password into an HTTPS login form, the password becomes harder to read in transit. However, that information reaches the website server that performs the login process.
This is natural. For the server to perform login processing, it must receive the sent information.
The scope protected by HTTPS is mainly the communication path.
| Target | Role of HTTPS | Description |
|---|---|---|
| Third parties in transit | Strongly defended against | Makes eavesdropping, tampering, and impersonation harder |
| Destination server | Communication counterpart | Request content reaches the server |
| User's IP address | Not directly hidden | HTTPS alone does not hide the source IP address |
| Logged-in account | Not directly hidden | Actions while logged in connect to the account |
In other words, HTTPS is "a mechanism for preventing eavesdropping and tampering in the middle." It is not "a mechanism for hiding your information from the destination."
What may still be visible even with HTTPS
Even when HTTPS is used, not all information is hidden.
Communication content is protected. However, information about the source of access, information about the destination, and information received by the website side are separate issues.
| Information | Party that may see it | Description |
|---|---|---|
| Source IP address | Destination server and similar parties | The website side can understand which IP address accessed it |
| Access time | Destination server and similar parties | When access occurred may be recorded as a log |
| Request content | Destination server | Even with HTTPS, content reaches the destination server |
| Cookie | Destination website | May be used to identify the same user or browser |
| Login state | Destination website | If logged in, actions connect to the account |
| Access logs | Destination website | Which pages were viewed and which operations were performed may be recorded |
| Browser information | Destination website | Information such as User-Agent may be sent |
| Information about the destination | Depends on the communication environment | Even if communication content is encrypted, which site is being connected to may be inferred in some cases |
The important point here is to separate "communication content" from "the fact of communication."
HTTPS protects communication content. However, it does not automatically hide information such as which IP address access came from, when access occurred, or which account is logged in.
Also, with HTTPS, the entire URL is not always fully visible to third parties. Page paths, form contents, and similar data are protected as communication content. On the other hand, information related to the destination domain name may be visible depending on the communication environment.
For this reason, using HTTPS does not mean that access traces and identifying information disappear.
HTTPS is not an anonymization technology
HTTPS is not an anonymization technology.
The main purposes of HTTPS are the following three points.
- Make communication content harder to read in transit
- Make communication content harder to tamper with in transit
- Make it easier to confirm that the communication partner is the intended party
This is separate from anonymization.
When thinking about anonymity, it is necessary to separate "whether communication content is protected" from "whether the person who accessed it is hidden."
HTTPS is strongly related to the former. However, it does not directly solve the latter.
| Viewpoint | Can HTTPS solve it? | Description |
|---|---|---|
| Protection against eavesdropping on communication content | Strong on the communication path | Makes content harder to read in transit |
| Protection against tampering with communication content | Strong on the communication path | Makes content harder to rewrite in transit |
| Communication partner verification | Yes | Uses certificates and similar mechanisms to verify the destination |
| Hiding the IP address | No | HTTPS alone does not hide the source IP address |
| Identification through cookies | No | Website-side identification remains a separate issue |
| Hiding login state | No | Actions while logged in connect to the account |
| Deletion of access logs | No | Website-side log storage is separate from HTTPS |
The idea that "HTTPS means anonymous" is wrong.
HTTPS is a technology for making communication safer. It is not a technology for creating anonymity.
Viewpoints for understanding HTTPS correctly
To understand HTTPS correctly, you need to separate who is being protected, what is being protected, and from whom.
The main target HTTPS protects against is third parties on the communication path.
For example, it makes it easier to prevent a third party on the same Wi-Fi, devices on the communication path, or a malicious intermediary from eavesdropping on communication content, tampering with it, or acting as a fake counterpart.
On the other hand, the destination website is the final counterpart of the communication. For that reason, the content you send reaches the website side.
| Party | What HTTPS makes easier to prevent | What HTTPS cannot prevent |
|---|---|---|
| Third party in transit | Eavesdropping, tampering, impersonation | Compromise of the device itself |
| Destination website | Leakage during communication | Site-side log recording and account identification |
| Users on the same Wi-Fi | Eavesdropping on communication content | Inference of access destinations does not necessarily disappear completely |
| Fake server | Easier to detect without a legitimate certificate | Risk if the user ignores warnings |
HTTPS is a very powerful mechanism, but it is not universal.
For example, if the browser displays a certificate warning and the user ignores it and proceeds, the safety provided by HTTPS drops significantly. Also, if the device itself is infected with malware, input content may be stolen on the device side even while HTTPS is used for communication.
HTTPS provides strong defense against eavesdropping, tampering, and impersonation on the network. However, device security, website-side management, account handling, cookies, logs, and similar issues need to be considered separately.
Summary
HTTP is the basic mechanism for exchanging data on the Web. However, with HTTP alone, communication content is not encrypted, and there is a risk of eavesdropping or tampering during communication.
HTTPS is a mechanism for performing HTTP communication inside a secure communication channel.
The important roles of HTTPS are the following three points.
- Make communication content harder to read in transit
- Make communication content harder to tamper with in transit
- Make it easier to confirm that the party you are communicating with is the intended party
For this reason, HTTPS is very important as a countermeasure against man-in-the-middle attacks.
However, HTTPS is not an anonymization technology. Even when HTTPS is used, requests reach the destination website. Also, the source IP address, cookies, login state, access logs, and similar information remain separate issues.
HTTPS is a technology for making communication safer. It is especially important for preventing eavesdropping, tampering, and impersonation on the communication path.
However, it is not a technology for hiding who accessed.
When thinking about anonymity, you need to separate the scope protected by HTTPS from the scope HTTPS does not protect. HTTPS is an important premise, but HTTPS alone does not establish anonymity.