What are the differences between HTTP and HTTPS besides security?

HTTP and HTTPS are two common network protocols, both of which are used to transmit data between browsers and servers. However, there are also some important differences between them, which involve data security, transmission performance, usage costs, search rankings, etc. This article will introduce the differences between HTTP and HTTPS from the following aspects. The outline of this article is as follows:

picture

Data security

The HTTP protocol is a plain text transmission protocol. It does not perform any encryption or verification on the data. This means that anyone can intercept, view or modify the data transmitted by HTTP on the network. This poses a great security risk, especially for sensitive information such as user names, passwords, bank card numbers, ID numbers, etc.

The HTTPS protocol is a secure transmission protocol that adds the SSL/TLS layer on top of HTTP . SSL/TLS is an encryption and authentication technology that can encrypt, decrypt, sign, and verify data, thereby ensuring the confidentiality, integrity, and authenticity of the data and preventing the data from being stolen or tampered with by a third party.

picture

Image source: https://coolcao.com 2018/08/06/https/

As shown in the figure above, the HTTPS process includes handshake and subsequent data transmission. The purpose of the handshake is for the client and the server to negotiate parameters such as encryption algorithms.

The working principle of HTTPS protocol is roughly as follows:

1. The client makes its first request to the server, telling it the protocol version, encryption algorithm, and compression algorithm it supports, and generates a random number (client random) to inform the server.

Information that the client needs to provide:

• Supported protocol versions, such as TSL1.0
• A random number generated by the client, used to generate a symmetric key later
• Supported encryption algorithms; supported compression methods, etc.

2. The server confirms the encryption method used by both parties and returns the client certificate and a random number generated by the server (server random)

Information the server needs to provide:

• Protocol version
• Encryption algorithm
• Random number generated by the server
• Server Certificates

3. After receiving the certificate, the client first verifies the validity of the certificate, then generates a new random number (premaster secret), encrypts the random number using the public key in the digital certificate, and sends it to the server.

The client will verify the certificate issued by the server. After the verification is passed, the client will generate a random number (premaster secret) again, and then encrypt it using the public key in the server certificate, as well as a ChangeCipherSpec message, which is the message with the changed encoding, and the hash value of all previous messages, to verify the server, and then encrypt a piece of data with the new secret key and send it to the server to ensure that there are no errors before formal communication.

4. After receiving the encrypted random number, the server uses the private key to decrypt it and obtain the random number (premaster secret).
5. Finally, the server and client use the three random numbers mentioned above (client random, server random, premaster secret) according to the agreed encryption method to generate a symmetric key to encrypt the entire conversation process. The server encrypts the response data with the symmetric key and sends it to the client. The client decrypts the response data with the symmetric key to obtain the plaintext data.

Transmission performance

To discuss transmission performance, we need to explain different HTTP versions.

HTTPS VS HTTP 1.1

In HTTP 1.1 , the performance of HTTP 1.1 is better than that of HTTPS , mainly because HTTPS only adds the SSL/TLS layer to the HTTP 1.1 protocol without any other modifications.

After adding the SSL/TLS layer, additional encryption and decryption processes are required, which will increase the data processing time and transmission time, and also consume more CPU and memory resources. In addition, the HTTPS protocol also requires certificate verification and key negotiation, which will also increase the time to establish a connection.

The HTTP 1.1 connection establishment process only requires a three-way TCP handshake, while the HTTPS protocol connection establishment process also requires an SSL/TLS handshake, which adds at least 6 round-trip times (RTT).

Therefore, the connection establishment time for HTTPS is much longer than that for HTTP 1.1 .

HTTP 2 VS HTTP 1.1

HTTP 2 has many performance improvements over HTTP 1.1 , mainly in the following aspects.

Binary framing

HTTP 2 uses binary framing, which can reduce the size of data and the complexity of the format, and improve data transmission efficiency.

It mainly modifies the message transmission format of HTTP 1.1 . HTTP 1.1 uses line breaks as the delimiter of plain text, while HTTP 2 divides all transmitted information into smaller messages and frames and encodes them in binary format. These frames correspond to messages in a specific data stream, and they are all multiplexed in a TCP connection.

Multiplexing

HTTP 2 supports multiplexing, which allows multiple requests and responses to be transmitted concurrently on a single connection, avoiding head-of-line blocking and the overhead of repeatedly establishing connections.

HTTP 2 can send requests and responses simultaneously on the basis of a shared TCP connection. HTTP messages can be broken down into independent frames and sent out interleaved without destroying the order of the messages themselves, and reassembled at the other end based on the stream identifier and header. Through multiplexing technology, the message header blocking problem of the old version of HTTP can be avoided, greatly improving transmission performance.

Header Compression

HTTP 2 supports header compression, which can reduce the amount of data transmitted and save network bandwidth.

HTTP 2 uses the HPACK algorithm to compress header fields. This compression format encodes the transmitted header fields and reduces the size of the header fields. At the same time, index tables are maintained at both ends to record the header fields that have appeared. Later, during the transmission process, the index number of the recorded header field can be transmitted. After receiving the data, the other end can find the corresponding value through the index number. Compared with HTTP 1.1 , which uses text to transmit message headers, HTTP 2 header compression can reduce the size of request resources.

HTTP 2 Disadvantages

Having said so much about the advantages of HTTP 2 , we also need to be clear about its disadvantages.

• HTTP 2   Connection establishment delay: HTTP 2   It is still based on the TCP protocol, so TCP's three-way handshake and TLS's handshake are required, which will consume a certain amount of time and affect the data transmission efficiency.
• HTTP 2   Head-of-line blocking is not completely solved: HTTP 2   Although multiplexing is supported and multiple requests and responses can be transmitted concurrently on one connection, if one of the data streams is lost or delayed, the entire TCP connection will be affected, causing subsequent data streams to be blocked.
• HTTP 2   Multiplexing is prone to timeouts: HTTP 2   The multiplexing technology makes multiple requests based on the same TCP connection. If the processing time of a request is too long, multiple requests may exceed the client timeout period, resulting in request failure.

HTTP 3 vs HTTP 2

The improvement of HTTP 3 compared to HTTP 2 can be said to be comprehensive. The underlying transmission protocol is changed from TCP to QUIC based on UDP, which realizes congestion control and reliable transmission features at the application layer.

advantage

The advantages of HTTP 3 are mainly reflected in its use of the QUIC protocol, which can reduce handshake delays, improve connection stability, support more efficient multiplexing, and better adapt to network changes.

shortcoming

The disadvantage of HTTP 3 is that it still has some compatibility and stability issues, and sometimes it is even slightly slower than HTTP 2. This may be due to different congestion control algorithms, or due to the restrictions or filtering of UDP by network devices and firewalls.

You can see that the performance differences between different HTTP versions are huge. Both HTTP 2 and HTTP 3 are built on HTTPS by default. So if you want higher HTTP protocol transmission performance, you can use HTTP 2 or HTTP 3 .

Cost

The cost of using HTTP is much lower than that of HTTPS , mainly because the HTTPS protocol requires the application and maintenance of digital certificates, which usually costs a certain amount of money, and the validity period of the certificate is limited and needs to be renewed regularly.

In business development, the price of an Alibaba Cloud HTTPS CA enterprise-level certificate for one year usually costs several thousand RMB.

In addition, HTTPS also consumes a bit of server resources because the encryption and decryption process of the TLS layer also requires CPU participation in calculations.

In comparison, HTTP does not require the application and maintenance of digital certificates, nor does it require more server resources, so the cost of using the HTTP protocol is lower.

Search ranking

The search ranking of HTTPS protocol is better than that of HTTP protocol, mainly because HTTPS protocol can improve users' trust and sense of security, thereby increasing users' visits and stay time, which are important factors for search engine optimization (SEO).

In addition, some mainstream search engines, such as Google and Baidu, have also clearly stated that the HTTPS protocol is an important weight indicator for search rankings. In other words, HTTPS websites have more advantages than HTTP websites in search rankings.

HTTP protocol has poor security, which may lead to user loss and dissatisfaction, thus affecting user visits and retention time, which will reduce the effectiveness of search engine optimization (SEO). In addition, HTTP protocol is not favored by search engines, so the search ranking of HTTP protocol is low.

To sum up, the HTTPS protocol has obvious advantages in security and search ranking, while the HTTP protocol is only slightly better in cost control.

With the development of the Internet, HTTPS has become the choice of more and more websites, while HTTP has been gradually phased out. Therefore, it is recommended that website developers and operators upgrade HTTP to HTTPS as soon as possible to improve the security and competitiveness of the website.