S

HTTPS is literally just HTTP, but shoved inside TLS, which is a generic encryption thing you can use on TCP* connections. It’s like shoving your message inside a magic envelope that can’t be broken into before you send it, the receiver can open the envelope though and read it. The stuff inside is still regular HTTP.

(*connections to a server that let you send/receive a stream of data, instead of just firing off packets and hoping they make it there like how UDP works.)

But as for HTTPS itself: First off there’s the encryption, which prevents anyone listening in from reading the stuff. But you also need to know that you’re talking to the right server, and some attacker isn’t just pretending to be the server you want and forwarding your messages to the real server, then relaying its answers back.

That’s where certificates come in. Those are, unfortunately, centralized at least as web browsers use them; there’s a Big List of allowed “certificate authorities” in each browser and/or OS, which are organizations you can get a certificate for your website from. Certificates are signed (more cryptography math magic) by the CA so that your browser can know the cert came from a known CA. If it doesn’t, it goes basically “huh? I don’t know who signed this! maybe an attacker did. I don’t trust it.”

There are other ways to handle that sort of trust. Mumble (a voice chat platform) also uses TLS certificates, but instead of just having a Big List, it just assumes that the first time you connect you’re not being actively attacked, and then if the certificate ever changes it can freak out and let you know. Much like SSH works (but SSH has its own completely different encryption scheme). Mumble also knows about the big list of CAs though and will accept ones signed by a known CA without questioning it.

– Frost

The S is for sex so I think HTTPS is for porn.

HTTP is like a conversation with someone wearing a “Hello my name is X” sticker at a public party, HTTPS is like a conversation with someone proving their identity with a government issued passport in a private room. Anyone can write anything they want on the former, and anyone happening to listen to the conversation can overhear everything. On the other hand, the latter requires basic identity verification and can’t be easily overheard.

With that being said, anyone can also obtain a passport. That means you can be sure that you are interacting with a John Doe, but that doesn’t necessarily mean that you are interacting with the John Doe you were expecting. For example, John A Doe (e.g. Google.com) is different, but maybe difficult to notice from John E Doe (e.g. Goggle.com), especially at a glance.

I hope that helps.

HTTP is a postcard, HTTPS is a sealed letter.

Https add an encryption layer on top of http. Except that, they are the same. Also, https provide a way to make sure the website is who he claims to be and not a random hacker website pretending to be it.

Whatever you do on https it’s encrypted end to end and cannot be read by somebody in the middle.

For example, if you login to a webpage with http your password will be sent in clear text and possibly read by somebody in the middle (your internet provider, your company, any other network in between …) while on https that same password is encrypted before it leaves your browser and it’s safe until it reaches the server, where is decrypted

It works with a chain of certificates approved by some authorities that your browser trust, so that beside encryption you can also trust that the website you are connecting to is actually who it claims to be (of course, that require you trusting the web site certificate and chain of trust).

Just to add to the definitions that others have already mentioned, simply because a website is using an HTTPS connection does not mean that it’s necessarily a trustworthy website. The website you are accessing could be compromised, so don’t take the green lock / whatever your browser uses as the HTTPS indicator as a guarantee for security!

Another fun fact, although HTTP(S) is used for serving HTML webpages, there are other protocols for different use cases. For example, FTP is used for file sharing, and SMTP is for email. You might have also heard of the Tor network, which is used when anonymity is important (see journalists, activists, etc.)

The ‘S’ stands for “Secure”. HTTPS is encrypted with SSL or, nowadays, TLS which means a third party can’t intercept and read your transferred data. Http on the other hand is sent in clear text, meaning its contents can be read by anyone who can access it.

Edit: thanks nasteva@jlai.lu for the correction! I got the encryption algorithms mixed up.

One letter

One is plural and has many http in one location. I saw some http at the zoo.

No one knows, thats the allure of the mystery