HTTP vs. HTTPS – What TLS Adds

#The Invisible Wrapper: Elevating the Application Layer#link

Building on the TLS handshakes we studied in the previous module, we now look at how this is applied to the web. HTTP (Hypertext Transfer Protocol) was designed for a trust-based environment where data was sent in cleartext. HTTPS is not a separate protocol, but rather HTTP residing inside a secure TLS tunnel.

The OSI Layer Transition

In a standard HTTP connection, the application data is sent directly over TCP. In HTTPS, a 'TLS Layer' is inserted between the Application layer and the Transport layer. The TCP connection is established first, then the TLS handshake occurs, and only then does the HTTP request (GET, POST, etc.) begin to flow.

The key difference visible in the output is the port (80 vs 443) and the intervening TLS handshake. Without this handshake, every header, cookie, and password sent in a POST request is visible to anyone on the local Wi-Fi or ISP.

The Three Pillars of HTTPS

HTTPS provides three critical security guarantees: Encryption (hiding data from eavesdroppers), Data Integrity (preventing tampering during transit), and Authentication (proving the server is who they claim to be via the X.509 certificates we studied earlier).

The 'Broken Lock' Problem

Modern browsers now label HTTP sites as 'Not Secure'. This is a psychological push to move the entire web to HTTPS. However, the 'Lock' icon only means the connection is encrypted; it does NOT mean the website is safe. A phishing site can have a perfectly valid HTTPS certificate.

• ▪Always use HTTPS for credentials
• ▪Ensure certificates are valid and not expired
• ▪Verify the domain name matches the certificate
• ▪Understand that HTTPS $ eq$ Trustworthiness