HTTP is the primary instrument for navigating the internet, it manages the connection between web browsers and visited websites. HTTP protocol is based on a sequence of request-response messages, where the request holds our data and the response brings back the website content.
Data transmitted in HTTP messages are fundamental for websites to function properly. Some data just describes the request, such as the requested URL. While others are highly sensitive but still necessary to confirm the visitor’s identity or make an online payment, like passwords and credit card details. Accordingly, the security of web transactions is crucial to protect all kinds of transmitted information.
HTTP protocol tends to be insecure because HTTP requests are not encrypted. In fact, HTTP protocol was not originally designed to be secure, and we can still safely browse HTTP websites with some caution!
This article discusses the security concerns of HTTP protocol, why it is not totally secure, how safe it is, and what are the threats of visiting HTTP websites.
Nonetheless, before digging deeper into answering these questions, we need first to understand briefly how HTTP protocol works and how it differs from HTTP(S).
1. What is HTTP and How Does it Work?
HTTP or the Hypertext Transfer Protocol is a communication protocol that is used to serve data and files over the internet.
HTTP is the foundation of data communication for theinternet. It is responsible for establishing the connection between web servers and clients (usually web browsers), and then transmitting webpages and online documents to netizens.
HTTP protocol appears as a prefix next to the website URL in the web browser. It has the following form:
http://www.example.com. Some browsers don’t display it as it’s the default protocol when visiting websites.
There are multiple versions of HTTP protocol, for example, we have HTTP/1.1, HTTP/2, and HTTP/3. Each version provides better performance and a more advanced structure than its predecessors.
How does HTTP protocol work?
HTTP follows a pretty simple model:
This request-response message results in a webpage being displayed or a media element being loaded.
Moreover, HTTP is astateless protocol. This means web servers do not retainthe user’s session or hold any data between requests. That said, each request is processed separately, and the browser sends relevant information with each request for the webserver to identify the session.
Thus, we can simply understand HTTP as a sequence of separate request-response messages between a user and a web server. Where each request is labeled by the requested URL, its parameters, and data.
Accordingly, HTTP protocol combines two main parts:
HTTP Request and
- HTTP Request: the message initiated by the client, usually a web browser, which contains details of the online resource, such as the requested URL and sender information.
- HTTP Response: the message initiated by the web server, which contains the requested resource, such as the webpage HTML file or online document.
2. HTTP or HTTPS: Which is More Secure?
HTTP protocol was created to carry data between servers and clients in both directions. Some of these data chunks are highly sensitive to be leaked, as they may contain personal information, passwords, and credit card details.
This prompted the creation of HTTPS, which is an extension of HTTP protocol with the added “S” referring to “Secure”. HTTPS utilizes data encryption methods to ensure secure communications between the server and the client.
HTTPS depends on another cryptographic protocol called TLS (Transport Layer Security) to protect both the privacyandintegrityof exchanged data while in transit. Therefore, it is also called “HTTP over TLS” or“HTTP over SSL”.
By using an encryption layer, HTTPS is far more secure than HTTP. It is used nowadays more often than the original HTTP protocol, by more than 79% of websites.(Video) F-TECH TALKS: Building a Performance Culture
The main goal of HTTPS is to protect website authenticity, secure user accounts, and keep user communications with the internet private. It works in a pretty similar way to well-known digital signatures.
3. Is HTTP Encrypted?
The main task of HTTP protocol is to provide rules to transmit data between systems. It controls how two systems identify each other, and how the messages between them are handled.
In terms of the data being exchanged, each version of HTTP protocol imposes a specific structure for both request and response messages. This structure tells how the request is built and what fields need to be provided.
The regular HTTP protocol is not encrypted. This means all information the visitor submits to HTTP websites are sent through the internet in a human-readable plain-text format.
To show this in action, we installed a network monitoring tool called Wireshark and used it to inspect HTTP requests.
Using an API simulation tool called Postman, we submitted a test username and password to an HTTP website and monitored our network traffic.
The following snapshot displays what the HTTP request looks like in Wireshark. As we can see here, all fields are unencrypted and anyone who has access to the network can easily read them.
On the other side, HTTPS is designed to add an encryption layer to HTTP to make it difficult to unveil the user’s data and information.
To check this as well, we re-submitted the same credentials to the website but this time using HTTPS protocol. The following snapshot shows how the (encrypted) data appears in HTTPS requests.
4. Is HTTP Secure?
Essentially, HTTP is a communication protocol. It is not meant to provide any type of security or protection for the data being transmitted.
All HTTP versions don’t include any sort of data encryption in their formal spec. Thus, HTTP requests and responses are sent in plain text and anyone can read them.
The HTTP protocol itself is not secure, and was not designed with security in mind! So if the network is insecure or compromised, all HTTP communications data between the client and web server may be leaked.
The key issue here is not caused by the protocol itself, but because HTTP data is not encrypted. So the information being sent can be intercepted and stolen by hackers.
Accordingly, in an insecure internet connection, anyone who can manage to get access to HTTP requests can easily read and modify the data in transit.
With that in mind, HTTP is insecure because compromised data may include every single piece of information being transmitted. From personal information like names, addresses, and contact numbers, to highly sensitive financial records such as bank accounts and credit card details.
5. Why is HTTP Not Secure?
HTTP is not secure primarily because of the following three problems:
5.1. HTTP data can be stolen
As HTTP data is sent in plain text, attackers can easily read the message content and use it later for other purposes on behalf of the sender.
For example, you may find yourself being sued for doing illegal online activities that you have totally no idea about them.
This is, for example, because someone could access your personal information or passwords, and then used your identity to undertake suspicious activities.
This issue becomes super serious when we know that more than 50% of users tend to reuse their credentials on multiple online services. This gives the attackers better opportunities to benefit from the stolen records.
5.2. HTTP connection lacks data integrity
As HTTP requests are sent unencrypted, hackers are able to alter the message without any means for the web server or client to detect this modification.
For example, when processing an online money transfer, you approve to pay 10$ for a specific item. But due to an intervention by an attacker, you find yourself losing 1K from your bank account!
This is simply because someone secretly intercepted your request and modified the amount and the destination account.
Likewise, HTTP response can be compromised as well since attackers can inject suspicious code into retrieved websites. This code may show ads, consume your PC resources, or try to exploit vulnerabilities in your browser or operating system.
In all cases, HTTP doesn’t ensure the integrity of the messages. So neither you nor the visited website are able to know if the request or response has been changed.
5.3. HTTP requests lack server authentication
With their access to the plain text URL, attackers can alter the targeted URL in the request and redirect it to a different destination. So you don’t know if your request is actually reaching the original web server.
As a result, you may end up sending your personal information or authentication credentials to a totally different website.
This is due to all HTTP versions not having any method to confirm the identity of the web server that is supposed to receive the user’s request.
6. Is HTTP Safe?
As we discussed earlier, HTTP is not secure because it does not encrypt the data in transit. Does this necessarily mean the protocol is also NOT SAFE?
Not really, determining if HTTP is safe or not depends on what types of information we are sending via it.
The HTTP protocol remains safe as long as we are not submitting any sensitive data when browsing websites that run on it.
Most modern browsers do notify us when visiting an HTTP webpage, telling that:
“You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers” Google Chrome, Microsoft Edge, and Opera
“Your connection to this site is not private. Information you submit could be viewed by others (like passwords, messages, credit cards, etc.).” Mozilla Firefox
That being said, HTTP is usually SAFE when:
We are just visiting the website, navigating through its pages, reading its content, and browsing its products, images, and other media assets.
Keep in mind that even in this case, attackers are still able to inject suspicious code into the response itself.
On the other hand, HTTP is NOT SAFE when:
We are going to register/log in to the website, buy products from it, or interact with its forms by typing private information such as passwords, addresses, telephone numbers, bank accounts, and credit card details.
7. Threats of Using HTTP
The plain unencrypted HTTP protocol contains little or no built-in security. Even if your local network is secure, the data could be still captured through other sections the request passes to its destination. Such as the ISP (Internet Service Provider) of your country or other countries on the way to the requested website.
Here are some of the known threats of accessing a website using plain HTTP protocol:
Man in the Middle Attack (MITM): one of the most popular cyber-attacks on the web. Here attackers or hackers manages to secretly access the communications between two systems. For example, they illegally place themselves between the user’s browser and website server, then they intercept the traveling information to steal transmitted data or alter it.
Eavesdropping Attack: also known as sniffing or snooping, is a passive MITM attack where attackers secretly listen to private communications between two parties. It aims at gathering information without actively getting into the network and altering the transmitted data.
Parameter Tampering Attack: a web-based cyber-attack that aims at changing the parameters exchanged between the server and client. Manipulated parameters might include user credentials or permissions, or other transactional details such as a product’s quantity, type, or price.
We have developed a comprehensive guide of threats that may happen when visiting insecure website. We highly recommend referring to this article for more details.
Threats May Happen When Visiting Unsecure Website [Explained]
Many people think they are safe as long as they didn’t download anything from the internet. This is unfortunately NOT TRUE. Although most attacks start once the user accidentally or unknowingly takes an action, some of them can secretly take place without the online visitor’s knowledge or consent.
8. Can HTTP Websites Be Hacked?
The aim of HTTP protocol is to orchestrate the communications between web servers and clients. It doesn’t provide any means to protect the website that runs over it.
Even with the encryption layer added to the HTTPS extension, there is still nothing important to prevent attacking web servers.
Both HTTP and HTTPS websites can be hacked if no defensive measures were properly applied. These protocols don’t play any role in this regard.
In addition, HTTPS provides security measures to protect users’ data in case of leakage, not the website itself or its hosting servers.
9. HTTP Websites List
According to a survey by W3Techs, almost 80% of websites do use HTTPS. This means that the remaining 20% are still using the original HTTP protocol.
That said, despite its security concerns, many websites are still running over a plain HTTP protocol for their own reasons. For example, some of them are doing so because they don’t ask for confidential or sensitive information from their visitors.
Here is a list of some websites that use HTTP (or don’t automatically redirect to HTTPS):
- University of Washington (http://www.washington.edu)
- The Go Network / Disney (http://go.com)
- Baidu (http://www.baidu.com)
- Boston University (http://www.bu.edu)
- Internet FAQ Archives (http://www.faqs.org)
- Wikidot (http://www.wikidot.com)
- Apache OpenOffice (http://www.openoffice.org)
- Shipping China (http://en.shippingchina.com)
- Example Domain (http://www.example.com)
* By the time you reach this post, some of the mentioned websites might have managed to transfer to HTTPS. For more examples refer to this list.
10. Why Do Some Websites Still Use HTTP?
With the higher levels of security and advantages of using HTTPS at no cost, there is no real reason why websites keep using plain HTTP.
Here we identify some reasons why some websites are still using HTTP:
- The website doesn’t have or ask for private information from its visitors.
- The website started on HTTP and has been abandoned or no longer maintained.
- The HTTPS is installed but the website team hasn’t finished migrating all HTTP pages to HTTPS.
- The website is just meant to run on HTTP, such as the first website and Example.com.
11. How Do I Secure an HTTP Site?
The main problem with HTTP protocol is that its data is not encrypted.
If you are a visitor to an HTTP website, you can’t do anything to protect your connection and interactions with the website. The only thing you can do is to strongly avoid submitting personal or sensitive information to this website.
Securing an HTTP website is the responsibility of the website owner, and can be easily done with HTTPS.
Using HTTPS is the only possible and right way to address the security issues of HTTP requests.
With HTTPS, even if the connection was intercepted by third parties, attackers won’t be able to read, steal or alter any information. This is mainly because HTTPS data are encrypted with a strong hashing algorithm and then validated when received by the web server.
Thanks to free SSL/TLS certificates provider, having HTTPS nowadays is much easier and can be totally free. We have prepared a list of available providers for free HTTPS certificates. Please refer to this article for more details.
Free SSL Certificates: Alternatives to Let’s Encrypt [Compared]
Having an HTTPS certificate is the first thing website owners should consider for their websites. It is of paramount importance to secure visitors’ data and protect their privacy. HTTPS is also an effective factor to prove trust and authority for the website and its content.
HTTP is the protocol that controls the connections between systems on the internet. It defines how two parties should speak to each other and how messages between them are structured.
In this article, we have discussed the security concerns of HTTP websites and what can be done to avoid losing any sensitive information when visiting them.
To sum up:
- HTTP is the communication protocol between web servers and clients.
- HTTPS is more secure than HTTP.
- HTTP protocol is not encrypted, its data is represented in plain text.
- HTTP is not secure and was not designed with security in mind.
- The problem is not the HTTP itself, but that HTTP data is not encrypted.
- HTTP is safe if we don’t submit private information.
- Both HTTP and HTTPS websites can be hacked.
- There are some websites still using HTTP.
Is it safe to visit a site without HTTPS? ›
Without HTTPS, any data passed is insecure. This is especially important for sites where sensitive data is passed across the connection, such as eCommerce sites that accept online card payments, or login areas that require users to enter their credentials.Is it OK to visit HTTP sites? ›
The answer is, it depends. If you are just browsing the web, looking at cat memes and dreaming about that $200 cable knit sweater, HTTP is fine. However, if you're logging into your bank or entering credit card information in a payment page, it's imperative that URL is HTTPS. Otherwise, your sensitive data is at risk.How can I check to see if a website is safe? ›
In Chrome, open a web page. To check a site's security, to the left of the web address, check the security status symbol: Secure. Info or Not secure.What are the dangers of HTTP? ›
Personal Information Leakage
HTTP clients are often privy to large amount of personal information such as the user's name, location, mail address, passwords, encryption keys, etc. So you should be very careful to prevent unintentional leakage of this information via the HTTP protocol to other sources.
You should always protect all of your websites with HTTPS, even if they don't handle sensitive communications.Am I 100% safe using an HTTPS URL? ›
Https stands for Hyper Text Transfer Protocol Secure and uses an SSL security certificate. This certificate encrypts the communication between the website and its visitors. This means that the information you enter on the website is processed securely, so that cyber criminals cannot intercept the data.Can HTTP get hacked? ›
An HTTP connection is gullible to attacks by hackers who can modify, monitor, and mimic it. On the other hand, an HTTPS connection uses encryption weapons like Transport Layer Security (TLS)/ Security Sockets Layer (SSL) to give an edge of protection to all your web business.What can hackers do with HTTP? ›
When you login using an HTTP website, the hacker can see your login and password. Knowing that 52% of people reuse their password, this means that the hacker not only has access to the small forum site that uses HTTP but also your email, social media or even bank account.Which website we should not visit? ›
20 Websites You'll Never Visit Again
- Google Answers. Image via Complex Original. ...
- Sixdegrees.com. ...
- The Hamster Dance. ...
- Prodigy. ...
- Pets.com. ...
- Borders.com. ...
- Friendster. ...
- Homestar Runner.
- Check the SSL certificate. A secure URL always begins with “HTTPS” at the start instead of “HTTP”. ...
- Analyze if the site has a modern theme. ...
- Use security tools to evaluate the site. ...
- Check the URL. ...
- Be wary of security seals. ...
- Find out who owns the site. ...
- Escape spam.
Is HTTP safer than HTTPS? ›
While HTTP is a protocol that enables data transmission via the world wide web, HTTPS is essentially a more secure version. The most important difference between the two is that HTTPS uses SSL/TLS to encrypt connections between web browsers and servers.Do people still use HTTP? ›
According to a survey by W3Techs, almost 80% of websites do use HTTPS. This means that the remaining 20% are still using the original HTTP protocol. That said, despite its security concerns, many websites are still running over a plain HTTP protocol for their own reasons.Should I forward to HTTP or HTTPS? ›
Security is a direction, not a destination. Sure it's good to get people to use https. So redirecting from http to https is more secure than keeping users in http without redirection. You could go another step further still, and completely shut off your http (non-tls) server.Can hackers see HTTPS? ›
That means they can see that you regularly visit https://www.reddit.com, for example, but they won't see that you spend most of your time at https://www.reddit.com/r/CatGifs/. But while HTTPS does guarantee that your communication is private and encrypted, it doesn't guarantee that the site won't try to scam you.What are unsafe urls? ›
Unsafe domains are external links to websites that could contain phishing, malware, or unwanted software. Phishing: Imitation of another website, designed to trick users into sharing personal or financial information.Why is HTTP not secure? ›
When you load a website over plain HTTP, your connection to the site is not encrypted. This means anyone on the network can look at any information going back and forth, or even modify the contents of the site before it gets to you.What are the first signs of being hacked? ›
Some of the warning signs that you've been hacked include:
You receive emails or text messages about login attempts, password resets, or two-factor authentication (2FA) codes that you didn't request. You see logins from devices and locations you don't recognize in your account activity or sign-in logs.
The HTTP protocol is not secure protocol as it does not contain SSL (Secure Sockets Layer), which means that the data can be stolen when the data is transmitted from the client to the server.Can you get a virus from a HTTP website? ›
Yes, you can get a virus just from visiting a website. These days, it's very easy to be overconfident in our abilities to avoid computer viruses.Can your phone get hacked just by visiting a website? ›
The hackers don't steal your phone and physically downloaded malware—they don't need to. Instead, they have planted viruses on websites designed to infect smartphones. Then they get people to click on a link from their phones, which takes them to the website and the malware link. It's as simple as that.
What are 4 things to do when you get hacked? ›
- Get a new username and password. Choose a strong password. ...
- Change your security questions. The hacker may have gotten access to your account by guessing the answers to security questions. ...
- Turn on two-step verification.
- Brave: The most secure and private browser (for both desktop and mobile) ...
- Firefox (modified and tweaked for privacy) ...
- Tor browser. ...
- Ungoogled Chromium browser. ...
- LibreWolf – A private and secure fork of Firefox.
- Never click on a link embedded in an email. ...
- Use your common sense. ...
- Look for signs of legitimacy. ...
- Read the URL carefully. ...
- If it looks too good to be true, it probably is. ...
- Check the properties of any links.
Websites that offer pirated content or software downloads, for example, are more likely to host viruses. viruses can also be spread through email attachments, social media links, and ads. As a result, it's important to be careful when visiting unknown websites and to only download files from trusted sources.What are some 2 things that let you know that a website might be suspicious or untrustworthy to be on? ›
They may appear legitimate, but spelling and grammar errors will give them away. Malicious redirects. If you type in a URL and are redirected to another site – especially one that looks suspicious – you have been affected by a malicious redirect.
HTTPS Everywhere is a best practice security measure for websites that ensures the entire user experience is safe from online threats. The term simply refers to using HTTPS—the secure web protocol enabled by SSL/TLS—across your entire website instead of selectively.What is a website without HTTPS? ›
This indicates the web page is not providing a secure connection to visitors. When your browser connects to a website, it can either use the secure HTTPS or the insecure HTTP protocol. If a site's URL begins with HTTP, it means the connection is insecure, which triggers the “Not Secure” warning.Is https everywhere still necessary? ›
Romanian software developer Alex Nedelcu said “Interestingly there are still people thinking HTTPS isn't needed for all websites, but they are wrong. TLS/SSL connections aren't useful just for protecting what user sends, but also for signing what the server sends.”Why should you only visit websites with HTTPS? ›
2: HTTPS is more secure, for both users and website owners. With HTTPS, data is encrypted in transit in both directions: going to and coming from the origin server. The protocol keeps communications secure so that malicious parties can't observe what data is being sent.Do I need a VPN if I have HTTPS? ›
The bottom line is that, although VPN and HTTPS can protect your data through encryption, they shouldn't be regarded as exclusive. In other words, not only is it good to combine HTTPS and VPN for increased privacy protection, but it's also recommended that you do so, especially on public, insecure networks.
Can a virus be on an HTTPS? ›
HTTPS is increasingly being used as a vehicle for malware to spread across the 'net. While your information may be secure while it is transmitted, the website you're visiting could still accidentally slip malware to your computer, or host it on its own servers, harvesting your information or installing a virus.What does HTTPS not protect against? ›
What information does HTTPS not protect? While HTTPS encrypts the entire HTTP request and response, the DNS resolution and connection setup can reveal other information, such as the full domain or subdomain and the originating IP address, as shown above.