8 min to read

Understanding HTTP and HTTPS Protocols

A comprehensive guide to HTTP, HTTPS, and SSL/TLS implementation

Featured image


Overview

HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) are protocols for transmitting data over the internet. Let’s explore their differences and implementation.


HTTP (Hypertext Transfer Protocol)

HTTP


Concept
  • Protocol defining data transfer between web browsers and servers
  • Supports HTML, images, video, audio, and other content types
  • Transmitted as unencrypted text (security vulnerable)
  • Default port: 80
  • URI format: http://example.com
Working Process
  • Client sends HTTP request message:
    • Contains HTTP method (GET, POST, PUT, DELETE)
    • Includes request URI
  • Server processes request and sends response:
    • Contains status code (200, 404, 500)
    • Includes response body
  • Client interprets response:
    • Processes received data
    • Makes additional requests if needed
HTTP Methods
Method Description Idempotent Safe
GET Request data from a resource Yes Yes
POST Submit data to be processed No No
PUT Update a resource or create if it doesn't exist Yes No
DELETE Remove a resource Yes No
PATCH Apply partial modifications to a resource No No
HEAD Same as GET but returns only headers Yes Yes
OPTIONS Returns supported methods for a resource Yes Yes
HTTP Status Codes
Category Example Description
1xx (Informational) 100 Continue Request received, continuing process
2xx (Success) 200 OK Request succeeded, normal response returned
3xx (Redirection) 301 Moved Permanently Resource has moved permanently
4xx (Client Error) 404 Not Found Resource not found on server
5xx (Server Error) 500 Internal Server Error Server encountered an error
Key Characteristics
  • Stateless protocol
  • No storage of previous requests/responses
  • Uses cookies/sessions for state management
  • Version evolution:
    • HTTP/1.0 (1996): One request per connection
    • HTTP/1.1 (1997): Persistent connections, pipelining
    • HTTP/2 (2015): Multiplexing, header compression, server push
    • HTTP/3 (2022): QUIC protocol, improved performance over unreliable connections


🔒 HTTPS (Hypertext Transfer Protocol Secure)

HTTPS


Concept
  • Secure version of HTTP
  • Uses SSL/TLS for encryption
  • Verifies server identity through certificates
  • Protects sensitive information
  • Prevents man-in-the-middle attacks
  • Default port: 443
  • URI format: https://example.com
  • Positive SEO impact (Google ranks secure sites higher)
SSL/TLS Overview
  • SSL: Developed by Netscape (1995)
  • TLS: Successor to SSL (1999)
  • Uses public key encryption
  • TLS recommended over SSL for security
  • Essential component of HTTPS
  • Version evolution:
    • SSL 2.0/3.0: Deprecated, considered insecure
    • TLS 1.0/1.1: Deprecated as of March 2021
    • TLS 1.2: Current widespread adoption
    • TLS 1.3: Latest version (2018), improved security and performance



TLS Handshake Process
  1. Client Hello: Client sends supported TLS versions, cipher suites, random number
  2. Server Hello: Server selects TLS version, cipher suite, sends random number
  3. Certificate: Server sends its SSL/TLS certificate
  4. Certificate Verification: Client verifies certificate against trusted CAs
  5. Key Exchange: Client generates pre-master secret, encrypts it with server's public key
  6. Server Acknowledgment: Server decrypts pre-master secret
  7. Session Keys Created: Both sides derive symmetric session keys
  8. Secure Communication: Data encrypted using session keys
Working Process
  • Client connects to HTTPS server
  • Client requests server's public key
  • Server sends SSL/TLS certificate
  • Client verifies certificate
  • Client generates session key
  • Client encrypts session key with server's public key
  • Server decrypts session key
  • Secure communication begins


📊 HTTPS Working Process Flowchart


graph TD; A[Client connects to HTTPS server] --> B[Client requests server's public key]; B --> C[Server sends SSL/TLS certificate]; C --> D[Client verifies certificate]; D --> E[Client generates session key]; E --> F[Client encrypts session key with server's public key]; F --> G[Server decrypts session key]; G --> H[Secure communication begins];


Modern HTTPS Security Features

HTTP Strict Transport Security (HSTS)
  • Forces browsers to use HTTPS only
  • Prevents downgrade attacks
  • Implementation via header: Strict-Transport-Security: max-age=31536000
Certificate Transparency (CT)
  • Public logs of issued certificates
  • Helps detect unauthorized certificates
  • Required by major browsers
Certificate Authority Authorization (CAA)
  • DNS record specifying which CAs can issue certificates
  • Example: example.com. CAA 0 issue "letsencrypt.org"
Content Security Policy (CSP)
  • Mitigates XSS and data injection attacks
  • Controls which resources can be loaded
  • Implementation via header: Content-Security-Policy: default-src 'self'


Implementation Guide: Apache SSL/HTTPS Certificate

1. Install OpenSSL and Enable SSL Module

# Install OpenSSL
sudo yum -y install openssl

# Verify installation
rpm -qa |grep openssl

# Install mod_ssl
yum install mod_ssl

# Check mod_ssl.so
cd /etc/httpd/modules/
ls mod_ssl*

2. Generate Private Key

openssl genrsa -des3 -out server.key 2048

3. Create Certificate Signing Request

openssl req -new -key server.key -out server.csr

# Required information:
Country Name: KR
State: Seoul
Locality: city
Organization: company
Unit: section
Common Name: somaz
Email: somaz@gmail.com

4. Remove Password from Private Key (Optional)

cp server.key server.key.origin
openssl rsa -in server.key.origin -out server.key

5. Generate Certificate

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

6. Copy Certificates

cp server.key /etc/httpd/conf/
cp server.crt /etc/httpd/conf/

7. Configure Apache to Use SSL

# Edit SSL configuration
vi /etc/httpd/conf.d/ssl.conf

# Add or modify these lines
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key

# Restart Apache
systemctl restart httpd

8. Test Configuration

# Check for configuration errors
apachectl configtest

# Verify SSL is working
openssl s_client -connect yourdomain.com:443


Implementation Guide: Nginx SSL/HTTPS Configuration

server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    
    # Modern SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;
    
    # HSTS (optional)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # Other common security headers
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    
    location / {
        root /usr/share/nginx/html;
        index index.html index.htm;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$host$request_uri;
}


Let’s Encrypt for Free SSL Certificates

Let’s Encrypt provides free, automated SSL certificates.

Using Certbot with Apache:

# Install Certbot
sudo apt install certbot python3-certbot-apache

# Obtain and install certificate
sudo certbot --apache -d yourdomain.com

# Auto-renewal (already added to crontab by certbot)
sudo certbot renew --dry-run

Using Certbot with Nginx:

# Install Certbot
sudo apt install certbot python3-certbot-nginx

# Obtain and install certificate
sudo certbot --nginx -d yourdomain.com

# Auto-renewal check
sudo certbot renew --dry-run


HTTP vs HTTPS Comparison

Feature HTTP HTTPS
Data Transfer Plain text Encrypted
Port 80 443
Security Vulnerable to eavesdropping Protected against interception
Authentication No authentication Server authentication
Performance Faster (no encryption overhead) Slight overhead due to TLS handshake
SEO Impact Negative (Google prefers HTTPS) Positive ranking factor
Modern Features Limited access to new web features Required for features like Service Workers


Troubleshooting Common SSL Issues

Certificate Issues
  • Self-signed Certificate: Browser warnings for untrusted certificates
  • Certificate Expired: Check expiration date with openssl x509 -in server.crt -noout -enddate
  • Common Name Mismatch: Certificate must match domain name exactly or use wildcard
  • Incomplete Certificate Chain: Ensure intermediate certificates are included
Configuration Issues
  • Mixed Content: HTTP resources loaded on HTTPS page
  • Cipher Suite Incompatibility: Check with openssl ciphers -v
  • Protocol Version Issues: Ensure modern TLS versions are enabled
  • Certificate File Permissions: Private keys should be readable only by server process


Diagnostic Tools


Reference