How Does HTTPS Work to Keep Us Safe? (HTTP vs HTTPS Explained)
You’ve probably seen HTTPS so many times, that it’s almost meaningless–but the opposite couldn’t be more true. Today, we’ll teach you about why HTTPS is far superior to HTTP in terms of cybersecurity, plus show you how to further boost your privacy online in conjunction with a VPN provider.
How do we know what’s safe on the internet or if sites are secure when we make payments or put personal information online? Today we’ll tell you what HTTPS is and why it’s different from HTTP. We’ll also answer the question “how does HTTPS work” and how it keeps you safe.
HTTP makes the internet run. Every computer and every device that goes online takes advantage of this decades-old protocol to send and receive data with servers located around the world. It’s such an intricate part of our online experience that we often forget the letters are at the beginning of every website address.
In recent years a modified version of HTTP has been gaining popularity. HTTPS secures the normally raw, open data transmitted by HTTP, allowing servers and clients to communicate with a level of guaranteed privacy. At the time of writing, over 51% of the top million websites offer a secured HTTPS version of their site, and that number is constantly on the rise. It’s great news for privacy advocates and casual web surfers alike.
Don’t just rely on your browser to safeguard your privacy online though, use a secure VPN, too:
- NordVPN – Best Browser Security – Whether you opt for NordVPN’s standalone app or one of its browser extensions, you’ll be well-equipped to fend of cybersecurity threats thanks to this provider’s unbreakable encryption.
- Surfshark – Advanced privacy provisions available at an affordable price. Unlimited simultaneous connections.
- ExpressVPN – The premium choice for anyone in need of the fastest VPN speeds. Kill switch, dynamic IPs.
- IPVanish – An easy recommendation for torrenting and streaming anonymously.
The details of SSL connections and cryptography keys is enough to make anyone’s head spin. Understanding the basics of how HTTPS connections work, doesn’t take a computer science degree, however. Keep reading for a brief explanation of HTTPS and how it makes all of our online lives safer and more secure.
HTTP – How the Internet Works
Anybody who’s ever used the internet is familiar with those four letters. HTTP stands for Hyper Text Transfer Protocol, a distributed system of communication that links code together to make the internet function. In essence, HTTP coordinates the exchange of all the bits of code that create the internet, everything from HTML websites to PHP pages, Javascript, and beyond. Whenever you load a web page, HTTP ensures you get the data you requested and that it all makes sense to your computer.
To get a little more technical, HTTP transfers data using TCP (Transmission Control Protocol), another protocol that forms the foundation of the web. Data is broken into packets before being sent, each of which is stamped with your computer’s IP address, which functions a lot like a mailing address. Through HTTP sending data via TCP, your online activity gets broken down, sent into the world, then brought back and re-assembled in your web browser.
The Problem with HTTP: It Isn’t Secure
HTTP was developed in 1989 and has formed the backbone of the internet ever since. It’s fast and efficient and does its job quite well, but there’s one major shortcoming a lot of users have started to worry about in recent years.
HTTP is inherently unsecure. Everything the protocol sends and receives is done in plain text format, making it extraordinarily easy to intercept. There’s nothing built into HTTP that prevents any random computer from taking a look at what’s being transferred. It’s a lot like having a telephone conversation in a crowded room. Everybody can hear what you’re saying, all they have to do is start listening.
WORTH READING: These are the best VPNs for using Paypal securely
HTTPS: Making HTTP Secure
HTTPS works in fundamentally the same way as HTTP, but that “S” on the end makes a huge difference for the end user. The S stands for Secure, and it’s shorthand for a method of sending HTTP requests with a layer of SSL/TLS security on top, encrypting the data to prevent eavesdroppers. Even if someone intercepted packets they wouldn’t be able to break the encryption or read the information, making HTTPS an extremely effective method of securing internet traffic.
Let’s break the above statement down a little bit. TLS stands for Transport Layer Security. SSL stands for Secure Sockets Layer, which is the predecessor of TLS. Both are frequently referred to as SSL and are widely used cryptographic protocols that provide an easy method of adding encryption to a variety activities. It’s also used by VoIP programs to authenticate transmissions, web browsers to secure data, and VPNs to create makeshift network tunnels to quickly secure user traffic.
When incorporated into HTTPS, SSL acts as an encryption companion that secures and verifies everything the HTTP protocol is transmitting. SSL essentially rides along with each packet of data and decrypts it only when it reaches its intended destination. The server and the computer handle everything exactly as before, but if a third party picks up any of the packets, they won’t be able to decrypt the data.
How HTTPS Works
Now that you’ve got a basic background, let’s look at what goes on during a typical HTTPS session. The first thing that happens is establishing a secure SSL connection. This begins with a quick handshake between the client (your computer, smartphone, etc.) and the server. The goal of this is to verify each other’s identity and agree upon encryption protocols, setting things up for an impending data transmission.
If an SSL handshake were a conversation, it might play out something like this:
- CLIENT: I’m looking for Server #SS1978-IJ56. Is that you?
- SERVER: Yes. Are you the client I’m supposed to be working with?
- CLIENT: Yes. Let’s use Encryption Method 742 to chat.
- SERVER: 742, no problem.
The handshake serves as a brief introduction. No data is transmitted during this process, it’s just a quick superficial nod to make sure both parties are who they should be. The next part of the process is where the server and the host verify their identities and actually start exchanging information. This is still just the SSL part of the interaction, by the way. HTTP is waiting to do its job once SSL gives it the go-ahead.
After the handshake, the following steps take place, in order:
- Greeting – This phase is somewhat similar to the handshake, only now that the client/server identities are established, they can actually send data to each other. Verification begins with the client sending the equivalent of a hello message. This encrypted message contains all the information the server will need to communicate with the client via SSL, including encryption keys. The server then sends its own hello message back, containing similar information the client needs in order to hold up its end of the communication.
- Certificate swap – Now that the server and client are ready to communicate securely, they need to verify their identity. This is a crucial step that ensures third parties can’t pretend to be the intended server, which is what keeps encryption keys out of their hands. This is accomplished through an SSL certificate swap between the client and the server, roughly the equivalent of showing someone your ID in real life. SSL certificates contain data like the party’s domain name, its public key, and who owns the device. These are checked against a centralized Certificate Authority (CA) source to make sure it’s valid. CAs issue these certificates, which helps keep them out of malicious third party hands.
- Key swap – Everyone knows who everyone else is, encryption protocols have been agreed upon, so it’s finally time to get started. The key swap begins with the client (your device) generating a cipher key to use in a symmetrical algorithm. This means the encrypted data can be unlocked and fully accessed by anyone with the key, hence the symmetry. Since the key styles were agreed upon during the verification phase, all the client has to do is share the key and the two parties can communicate efficiently and securely.
All of these phases with SSL verification and data swapping seem like a lot of extra steps, but they’re crucial to establishing a secure connection between the right computers. Without verifying identities, other computers can steal data and decrypt it. Without verifying encryption methods, other computers can share fake keys and gain access to data. Only with all of these pre-sharing steps can the HTTP transfer take place securely.
Once the SSL portion of the transfer takes place, HTTP steps in and does its thing. Here data is broken into packets, labeled with your IP address, stuffed inside the SSL envelope and sent along their way. SSL ensures only the client and the intended server can read the information being sent. The process is completed thousands of times for each request, and it happens in a fraction of a second.
ALSO READ: How to pretend you’re in a different country by changing your IP address
HTTPS in Your Browser
You’ve probably seen your browser display a little padlock icon in the URL bar from time to time. This simply means the site is secured with HTTPS. It normally happens with sites that legitimately collect private data, such as credit card information for online shopping, passwords for checking your e-mail, or anything involving banking or financial transactions. More and more websites are using HTTPS these days, however, which is great for online privacy in general.
HTTPS is done on the server’s side. In other words, you can’t force a site to use HTTPS if its servers aren’t set up to handle it. Many websites will only switch to HTTPS if your browser specifically demands it, and others will load unsecured content within HTTPS pages, which defeats the purpose entirely.
There’s a fantastic browser extension called HTTPS Everywhere that alleviates a lot of the above issues. The plug-in rewrites your browser requests to use HTTPS whenever it’s available. It can’t create a secure connection where none exists, and it doesn’t encrypt anything itself, but HTTPS Everywhere ensures you always take advantage of the extra security whenever possible.
FULL GUIDE: Best browser extensions
VPN Encryption versus HTTPS
The word “encryption” is used a lot these days. At its core, encryption refers to using cryptography to generate incredibly complex mathematical puzzles that lock information packets in an unbreakable box. That box can only be opened with an equally complex cipher key, which is generated when the data packets are encrypted in the first place. There are a number of different encryption processes used in the modern internet, but the basic idea behind them is roughly the same.
Virtual private networks are always discussed in relation to the encryption they provide. In short, a VPN runs on your local device and encrypts everything before it’s sent through the internet. Data packets are unreadable as they travel to your ISP and to the VPN’s servers. At this point your local IP address is removed and replaced with an IP address associated with the VPN. The VPN carries out the data request on your behalf, then returns the information to your computer. The entire process takes place under the protection of encryption, and it also removes identifying data so it’s impossible to trace activity back to your computer.
HTTPS protocols and virtual private networks may sound similar, but in reality they’re two different technologies that attack the same problem from different angles. VPNs secure all traffic between your computer and the internet. They also anonymize data to make it harder to trace your online activity. HTTPS only secures traffic between one website and your computer, with no measures taken to add anonymity. Even if you’re accessing a site secured with HTTPS, a VPN offers extra features to keep your data safe.
How to Choose a Secure VPN
HTTPS does an amazing job securing the connection between your device and a single website. Not all sources are protected by this server-side encryption, however, and even when they are there’s a chance an unsecured link can find its way into the site and threaten your privacy. To keep your online activity secure, you should always use a VPN.
Choosing the right VPN seems like a complicated process. There are all sorts of features to compare, prices to consider, encryption strengths to contrast, and so on. Below are some of the criteria to focus on when researching the best VPN for secure online browsing. We’ve also included a few recommendations to help get you started.
- Encryption strength – The complexity of a VPN’s encryption protocols can make a big difference in your privacy. Most providers deliver 128-bit or 256-bit AES encryption, which is perfect for almost all online activities.
- Logging policy – All of your traffic passes through a VPN’s servers. If the company keeps detailed logs, there’s a chance your data could be given to a third party or government agency. The best VPNs have strict zero-logging policies that keep your info safe no matter what.
- Software support – To take advantage of a VPN, you need to run it on every device that connects to the internet. Most VPN services offer custom software for smartphones, tablets, laptops, and everything in-between. Make sure your devices are covered before signing up.
- Speed – A downside to encryption is that it adds data to each packet of information, effectively slowing your connection. The best VPNs work around this limitation to provide fast downloads without sacrificing privacy.
Most Powerful VPNs for Safer Browsing
Conducting your own market research can be exhausting, but when you’re looking for VPNs, you don’t need to reinvent the wheel. We’ve spent years researching and writing about VPNs, and the following providers stand out as the most secure for your money:
1. NordVPN
NordVPN is the most reliable VPN overall, with two outstanding features: a large server network, and lightning fast speeds. NordVPN operates over 5,800 servers in 59 countries, twice the size of most VPNs. This gives you a wide variety of options for selecting out-of-country IP addresses to access geo-restricted content. You’re also guaranteed a fast connection with NordVPN’s network, even if you take advantage of their unique double encrypted servers.
A few of NordVPN’s best features include an independently-verified zero-logging policy that covers everything from traffic to bandwidth, IP addresses, and time stamps; powerful censorship-busting features that break through harsh government filters like those in China; multi-hop encryption for the ultimate privacy at the expense of some speed; ready Netflix access worldwide.
Read our full NordVPN review.
- Unblocks American Netflix
- Mind-boggling number of servers
- DNS leak protection, kill switch
- No logs and encrypted connections for total privacy
- Live Chat Support.
- Not much
- Refund processing can take up to 30 days.
2. Surfshark
Surfshark is an affordable VPN which drastically improves the security of your browser. Rather than simply relying on HTTPS for bare-bones protections, you’ll enjoy the benefits of NSA-grade 256-AES-GCM encryption. This makes your data stream utterly indecipherable by third parties, and allows you to get past censorship and surveillance with ease.
Additionally, Surfshark’s server network is quite notable, as it is entirely RAM-based, and thus incapable of storing your usage metadata. That means you can connect to any of Surfshark’s 800+ servers across 50 countries to spoof your IP and unblock sites without ever leaving a trace behind. And if the site you’re accessing has a VPN-blocker in place, your app will fire up Camouflage, an obfuscation method which disguises your encrypted traffic as ordinary traffic.
There are never any logs kept by Surfshark per their policy, and they even accept Bitcoin payments for anyone who wants to truly divorce their identity from their activity online.
- Robust servers blast through geoblocks to access your favorite streaming sites
- Unblock Netflix on any server, no more picking and choosing
- CleanWeb mode blocks ads and popups before they load, saving your mobile data and speeds
- Favorable BVI jurisdiction guarantees no logs kept
- Get help any time of day via email, phone, or live chat.
- Overall, not much to complain about
- Young VPN still has plenty of room to grow in terms of advanced functionality.
Read our full Surfshark review.
3. ExpressVPN
ExpressVPN focuses on delivering incredible speeds to users around the world. Encryption often slows down VPN connections, and having servers located far from your home can increase lag. With ExpressVPN, both of those issues are minimized thanks to blazing fast hardware and a server network distributed across the globe. When coupled with unlimited bandwidth and no speed caps or throttling, you’ve got an incredible recipe for a strong and reliable VPN.
Other features from ExpressVPN include easy to use custom apps for Windows, Mac, Linux, Android, iOS, and more; great access to Netflix, even where other providers are completely blocked; 3,000+ servers in 94 countries worldwide; DNS leak protection and an automatic kill switch; powerful censorship-busting capabilities that even China’s Great Firewall can’t stop.
Read our full ExpressVPN review.
- Unblocking Netflix, iPlayer, Hulu, Amazon Prime
- Fastest servers we have tested
- Torrenting/P2P allowed
- No logs for personal data
- Customer Service (24/7 Chat).
- Expensive month-to-month plan.
4. IPVanish
Stopping censorship and providing user security are two of IPVanish’s biggest features. The service works to protect your privacy by delivering 256-bit AES encryption with all of its 1,300 servers in 60 different countries, adding in a thorough zero traffic logging policy to boot. You’ll always be able to find a reliable, fast connection with IPVanish, and with over 40,000 IP addresses to use, you’ll be able to bypass censorship filters and firewalls with ease.
IPVanish also comes with the following features:
- Incredibly easy to use software for PC, laptops, smartphones, Chromebooks, and tablets.
- Unlimited bandwidth, no speed caps, and no restrictions on P2P or torrent traffic.
- Secure, fast, and anonymous downloads ideal for torrent and Kodi users.
Read our full IPVanish review.
Conclusion
So now you should have the knowledge you need to understand HTTPS, and how to use it. These days, it’s more common than not to see websites displaying that little “s” in their URL bar, so keep a sharp eye out for sites that don’t. In conjunction with safe browsing habits, you can further bolster your privacy and security online with a VPN; we’ve recommended three of the best on the market so you don’t have to spend ages shopping around.
Got any questions about HTTPS, VPNs or any other security-related topic? Leave us a comment below!
If you need a VPN for a short while when traveling for example, you can get our top ranked VPN free of charge. NordVPN includes a 30-day money-back guarantee. You will need to pay for the subscription, that’s a fact, but it allows full access for 30 days and then you cancel for a full refund. Their no-questions-asked cancellation policy lives up to its name.
I’ve used Nord and ExpressVPN. Honestly can’t go wrong with either