HTTP Vs HTTPS

The HyperText Transfer Protocol is an application layer protocol, which means it focuses on how information is presented to the user of the computer but doesn’t care a whit about how data gets from Point A to Point B. It is stateless, which means it doesn’t attempt to remember anything about the previous Web session. This is great because there is less data to send, and that means speed. And HTTP operates on Transmission Control Protocol (TCP) Port 80 by default, meaning your computer must send and receive data through this port to use HTTP.

Secure HyperText Transfer Protocol (HTTPS) is for all practical purposes HTTP. The chief distinction is that it uses TCP Port 443 by default, so HTTP and HTTPS are two separate communications. HTTPS works in conjunction with another protocol, Secure Sockets Layer (SSL), to transport data safely. Remember, HTTP and HTTPS don’t care how the data gets to its destination. In contrast, SSL doesn’t care what the data looks like. People often use the terms HTTPS and SSL interchangeably, but this isn’t accurate. HTTPS is secure because it uses SSL to move data.
HTTPS differentiates one sender and receiver from another. SSL takes the data, going or coming, and encrypts it. This means that SSL uses a mathematical algorithm to hide the true meaning of the data. The hope is that this algorithm is so complex it is either impossible or prohibitively difficult to crack

The encryption begins when the owner of the Web site purchases a time-sensitive certificate from a trusted certificate authority such as VeriSign. You can get a certificate anywhere, or even make your own, but is it trusted? Your browser will let you know. This certificate is a security code created specifically for that one user, or even for that one Web site. The code is so complex that no one else on Earth should have a duplicate.

Getting a certificate can be an involved task. All types of information must be recorded so the issuer of the certificate can be a reliable authority on the certificate’s owner. Information that must be provided includes the name of the site and even the name of the server that hosts the site. Complexity makes counterfeiting incredibly difficult.

This makes the issuer a trusted third party. When your browser sees the secure Web site, it uses the information in the certificate to verify that the site is what it claims to be. Browsers commonly indicate security by presenting a picture of a shiny closed lock at the bottom of the screen. This process is not always perfect because of human error. Maybe 53.com is a valid banking site, but 53RD.com is not. We call that phishing. Unscrupulous people phish for careless people. So be cautious. After the identity of the Web site is accepted, the encryption is negotiated between the browser and the Web server, and the data is all but locked up tight.