DEV Community

Cover image for Why do we need HTTPS?
Meggie
Meggie

Posted on

Why do we need HTTPS?

Hyper Text Transfer Protocol Secure (HTTPS)

  • It is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected with. The 'S' at the end of HTTPS stands for 'Secure'. Therefore, all communications between your browser and the website are encrypted.
  • Also known as ‘HTTP over SSL’, ‘HTTP Secure’, or ‘HTTP over Transport Layer Security’.

Reasons for using HTTPS:

  • Privacy
  • Integrity
  • Identification.
  1. Privacy

    It means that no one can eavesdrop on your messages.

    When server send a message to browser which is not encrypted, i.e. you browse to a website without HTTPS, someone could be eavesdropping on your password or private information.

    The green padlock on the URL bar of your browser tells you that there is no one watching over your message/data.

  2. Integrity

    It means that the message is not manipulated on the way to its
    destination.

    When the message is not encrypted - before it reaches to the client, someone can intercept the message.

    This is often called a man-in-the-middle attack. The green padlock make sure that your communication is not being tampered with.

  3. Identification

    It means that you can check that this message is coming from the real server/source.

    A digital signature attached to a message can identify the sender.

    When you are browsing the web, identification means that the site that you are visiting is indeed the one you think it is.

    HTTPS, via SSL certificates, ensures you are connected exactly with the receiver you would expect.

    This SSL certificate is valid and has been issued by a legitimate Certificate Authority.


The article gives a short explanation regarding the purpose of https.

Top comments (4)

Collapse
 
gingters profile image
Sebastian P.R. Gingter

This is true. But forcing https everywhere is bad for a lot of people.

Please see this article, that nicely describes all the downsides of https.
meyerweb.com/eric/thoughts/2018/08...

So, while adding https is a nice thing, still offering unencrypted access (and not forcing https i.e. by automatically redirecting http to https) to content is critical for these people.

Collapse
 
webdeasy profile image
webdeasy.de

Short and good explanation! :)

Collapse
 
patarapolw profile image
Pacharapol Withayasakpunt

What is the difference between number One and Two? I think both are correlated, i.e. man-in-the-middle.

I used Let's Encrypt --- how do I make use of number Three? Is it impossible without HTTPS?

Collapse
 
hellomeghna profile image
Meggie

Hi Pacharapol. Yes in a way, we can say that both point 1 and 2 looks like it's man-in-the-middle attack, since in both someone is listening to the private message. But in point 1, no one is tampering the data, they are eavesdropping, while in point 2 the data is been intercepted.

Regarding the other question, let's encrypt is a legitimate certificate authority itself, so they are of course covering point 3 for you - i.e identifcation.