Core Module
12 min forge

HTTP vs HTTPS

Master the protocol of the web. Learn the difference between cleartext communication and secure, encrypted data transfer.

πŸ”’ HTTP vs HTTPS

HTTP (Hypertext Transfer Protocol) is the foundation of data exchange on the web. HTTPS (HTTP Secure) is an extension of HTTP that uses encryption for secure communication.

πŸ’‘ The Logic (ELI5)

HTTP (The Postcard)

Think of sending a Postcard through the mail:

  • You write your message on the back.
  • Anyone who touches the postcard (Mailman, Sorting Machine, Neighbor) can read exactly what you wrote.
  • It's fast and easy, but not private.

HTTPS (The Locked Box)

Think of sending a Locked Metal Box:

  • You put your message inside a box and lock it with a key.
  • Everyone can see you are sending a box, but only the person with the Other Key (The Receiver) can open it and read the message.
  • Even if the Mailman steals the box, they can't see what's inside.

πŸ” The Deep Dive

What makes it "Secure"?

HTTPS uses TLS (Transport Layer Security) or its predecessor SSL (Secure Sockets Layer).

  1. Encryption: Hiding the data from eavesdroppers.
  2. Authentication: Proving the server is who it says it is (using Certificates).
  3. Integrity: Ensuring the data hasn't been modified during transit.

How the Handshake works

  1. Client Hello: Requesting a secure connection.
  2. Server Certificate: The server sends its public key and a certificate signed by a trusted authority (e.g., Let's Encrypt).
  3. Key Exchange: Client and Server agree on a "Symmetric Key" for the session.
  4. Encrypted Data: All future data is scrambled using that key.

🎯 Interview Pulse

Port Numbers

  • HTTP: Default is Port 80.
  • HTTPS: Default is Port 443.

Performance Cost

Does HTTPS make a site slower? Answer: Technically yes, because of the "TLS Handshake" at the start. However, modern CPUs handle encryption almost instantly, and protocols like HTTP/2 and QUIC (HTTP/3) are actually only supported over HTTPS and are much faster than old HTTP.

Top Tip

In a system design interview, always assume HTTPS. Security is no longer optional. If you are designing an API for a bank or even a cat-video site, mention that TLS termination usually happens at the Load Balancer or API Gateway level to save the back-end servers from doing the heavy encryption work. πŸ›‘οΈ