HTTP is the primary instrument for navigating the internet, it manages the connection between web browsers and visited websites. HTTP protocol is based on a sequence of request-response messages, where the request holds our data and the response brings back the website content.
Data transmitted in HTTP messages are fundamental for websites to function properly. Some data just describes the request, such as the requested URL. While others are highly sensitive but still necessary to confirm the visitor’s identity or make an online payment, like passwords and credit card details. Accordingly, the security of web transactions is crucial to protect all kinds of transmitted information.
HTTP protocol tends to be insecure because HTTP requests are not encrypted. In fact, HTTP protocol was not originally designed to be secure, and we can still safely browse HTTP websites with some caution!
This article discusses the security concerns of HTTP protocol, why it is not totally secure, how safe it is, and what are the threats of visiting HTTP websites.
Nonetheless, before digging deeper into answering these questions, we need first to understand briefly how HTTP protocol works and how it differs from HTTP(S).
1. What is HTTP and How Does it Work?
HTTP or the Hypertext Transfer Protocol is a communication protocol that is used to serve data and files over the internet.
HTTP is the foundation of data communication for the internet. It is responsible for establishing the connection between web servers and clients (usually web browsers), and then transmitting webpages and online documents to netizens.
HTTP protocol appears as a prefix next to the website URL in the web browser. It has the following form: http://www.example.com. Some browsers don’t display it as it’s the default protocol when visiting websites.
There are multiple versions of HTTP protocol, for example, we have HTTP/1.1, HTTP/2, and HTTP/3. Each version provides better performance and a more advanced structure than its predecessors.
How does HTTP protocol work?
HTTP follows a pretty simple model:
When the user makes a request (ex. visits a website or clicks on a link), the HTTP protocol opens a connection to the targeted website server, sends the request, waits for the webserver to respond, and then brings the response back to the client.
This request-response message results in a webpage being displayed or a media element being loaded.
Moreover, HTTP is a stateless protocol. This means web servers do not retain the user’s session or hold any data between requests. That said, each request is processed separately, and the browser sends relevant information with each request for the webserver to identify the session.
Thus, we can simply understand HTTP as a sequence of separate request-response messages between a user and a web server. Where each request is labeled by the requested URL, its parameters, and data.
Accordingly, HTTP protocol combines two main parts: HTTP Request and HTTP Response:
- HTTP Request: the message initiated by the client, usually a web browser, which contains details of the online resource, such as the requested URL and sender information.
- HTTP Response: the message initiated by the web server, which contains the requested resource, such as the webpage HTML file or online document.
2. HTTP or HTTPS: Which is More Secure?
HTTP protocol was created to carry data between servers and clients in both directions. Some of these data chunks are highly sensitive to be leaked, as they may contain personal information, passwords, and credit card details.
This prompted the creation of HTTPS, which is an extension of HTTP protocol with the added “S” referring to “Secure”. HTTPS utilizes data encryption methods to ensure secure communications between the server and the client.
HTTPS depends on another cryptographic protocol called TLS (Transport Layer Security) to protect both the privacy and integrity of exchanged data while in transit. Therefore, it is also called “HTTP over TLS” or “HTTP over SSL”.
By using an encryption layer, HTTPS is far more secure than HTTP. It is used nowadays more often than the original HTTP protocol, by more than 79% of websites.
The main goal of HTTPS is to protect website authenticity, secure user accounts, and keep user communications with the internet private. It works in a pretty similar way to well-known digital signatures.
3. Is HTTP Encrypted?
The main task of HTTP protocol is to provide rules to transmit data between systems. It controls how two systems identify each other, and how the messages between them are handled.
In terms of the data being exchanged, each version of HTTP protocol imposes a specific structure for both request and response messages. This structure tells how the request is built and what fields need to be provided.
The regular HTTP protocol is not encrypted. This means all information the visitor submits to HTTP websites are sent through the internet in a human-readable plain-text format.
To show this in action, we installed a network monitoring tool called Wireshark and used it to inspect HTTP requests.
Using an API simulation tool called Postman, we submitted a test username and password to an HTTP website and monitored our network traffic.
The following snapshot displays what the HTTP request looks like in Wireshark. As we can see here, all fields are unencrypted and anyone who has access to the network can easily read them.
On the other side, HTTPS is designed to add an encryption layer to HTTP to make it difficult to unveil the user’s data and information.
To check this as well, we re-submitted the same credentials to the website but this time using HTTPS protocol. The following snapshot shows how the (encrypted) data appears in HTTPS requests.
4. Is HTTP Secure?
Essentially, HTTP is a communication protocol. It is not meant to provide any type of security or protection for the data being transmitted.
All HTTP versions don’t include any sort of data encryption in their formal spec. Thus, HTTP requests and responses are sent in plain text and anyone can read them.
The HTTP protocol itself is not secure, and was not designed with security in mind! So if the network is insecure or compromised, all HTTP communications data between the client and web server may be leaked.
The key issue here is not caused by the protocol itself, but because HTTP data is not encrypted. So the information being sent can be intercepted and stolen by hackers.
Accordingly, in an insecure internet connection, anyone who can manage to get access to HTTP requests can easily read and modify the data in transit.
With that in mind, HTTP is insecure because compromised data may include every single piece of information being transmitted. From personal information like names, addresses, and contact numbers, to highly sensitive financial records such as bank accounts and credit card details.
5. Why is HTTP Not Secure?
HTTP is not secure primarily because of the following three problems:
5.1. HTTP data can be stolen
As HTTP data is sent in plain text, attackers can easily read the message content and use it later for other purposes on behalf of the sender.
For example, you may find yourself being sued for doing illegal online activities that you have totally no idea about them.
This is, for example, because someone could access your personal information or passwords, and then used your identity to undertake suspicious activities.
This issue becomes super serious when we know that more than 50% of users tend to reuse their credentials on multiple online services. This gives the attackers better opportunities to benefit from the stolen records.
5.2. HTTP connection lacks data integrity
As HTTP requests are sent unencrypted, hackers are able to alter the message without any means for the web server or client to detect this modification.
For example, when processing an online money transfer, you approve to pay 10$ for a specific item. But due to an intervention by an attacker, you find yourself losing 1K from your bank account!
This is simply because someone secretly intercepted your request and modified the amount and the destination account.
Likewise, HTTP response can be compromised as well since attackers can inject suspicious code into retrieved websites. This code may show ads, consume your PC resources, or try to exploit vulnerabilities in your browser or operating system.
In all cases, HTTP doesn’t ensure the integrity of the messages. So neither you nor the visited website are able to know if the request or response has been changed.
5.3. HTTP requests lack server authentication
With their access to the plain text URL, attackers can alter the targeted URL in the request and redirect it to a different destination. So you don’t know if your request is actually reaching the original web server.
As a result, you may end up sending your personal information or authentication credentials to a totally different website.
This is due to all HTTP versions not having any method to confirm the identity of the web server that is supposed to receive the user’s request.
6. Is HTTP Safe?
As we discussed earlier, HTTP is not secure because it does not encrypt the data in transit. Does this necessarily mean the protocol is also NOT SAFE?
Not really, determining if HTTP is safe or not depends on what types of information we are sending via it.
The HTTP protocol remains safe as long as we are not submitting any sensitive data when browsing websites that run on it.
Most modern browsers do notify us when visiting an HTTP webpage, telling that:
“You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers” Google Chrome, Microsoft Edge, and Opera
or
“Your connection to this site is not private. Information you submit could be viewed by others (like passwords, messages, credit cards, etc.).” Mozilla Firefox
That being said, HTTP is usually SAFE when:
We are just visiting the website, navigating through its pages, reading its content, and browsing its products, images, and other media assets.
Keep in mind that even in this case, attackers are still able to inject suspicious code into the response itself.
On the other hand, HTTP is NOT SAFE when:
We are going to register/log in to the website, buy products from it, or interact with its forms by typing private information such as passwords, addresses, telephone numbers, bank accounts, and credit card details.
7. Threats of Using HTTP
The plain unencrypted HTTP protocol contains little or no built-in security. Even if your local network is secure, the data could be still captured through other sections the request passes to its destination. Such as the ISP (Internet Service Provider) of your country or other countries on the way to the requested website.
Here are some of the known threats of accessing a website using plain HTTP protocol:
Man in the Middle Attack (MITM): one of the most popular cyber-attacks on the web. Here attackers or hackers manages to secretly access the communications between two systems. For example, they illegally place themselves between the user’s browser and website server, then they intercept the traveling information to steal transmitted data or alter it.
Eavesdropping Attack: also known as sniffing or snooping, is a passive MITM attack where attackers secretly listen to private communications between two parties. It aims at gathering information without actively getting into the network and altering the transmitted data.
Parameter Tampering Attack: a web-based cyber-attack that aims at changing the parameters exchanged between the server and client. Manipulated parameters might include user credentials or permissions, or other transactional details such as a product’s quantity, type, or price.
We have developed a comprehensive guide of threats that may happen when visiting insecure website. We highly recommend referring to this article for more details.
Threats May Happen When Visiting Unsecure Website [Explained]
Many people think they are safe as long as they didn’t download anything from the internet. This is unfortunately NOT TRUE. Although most attacks start once the user accidentally or unknowingly takes an action, some of them can secretly take place without the online visitor’s knowledge or consent.
8. Can HTTP Websites Be Hacked?
The aim of HTTP protocol is to orchestrate the communications between web servers and clients. It doesn’t provide any means to protect the website that runs over it.
Even with the encryption layer added to the HTTPS extension, there is still nothing important to prevent attacking web servers.
Both HTTP and HTTPS websites can be hacked if no defensive measures were properly applied. These protocols don’t play any role in this regard.
In addition, HTTPS provides security measures to protect users’ data in case of leakage, not the website itself or its hosting servers.
9. HTTP Websites List
According to a survey by W3Techs, almost 80% of websites do use HTTPS. This means that the remaining 20% are still using the original HTTP protocol.
That said, despite its security concerns, many websites are still running over a plain HTTP protocol for their own reasons. For example, some of them are doing so because they don’t ask for confidential or sensitive information from their visitors.
Here is a list of some websites that use HTTP (or don’t automatically redirect to HTTPS):
- University of Washington (http://www.washington.edu)
- The Go Network / Disney (http://go.com)
- Baidu (http://www.baidu.com)
- nginx (http://nginx.org)
- Boston University (http://www.bu.edu)
- Internet FAQ Archives (http://www.faqs.org)
- Wikidot (http://www.wikidot.com)
- Apache OpenOffice (http://www.openoffice.org)
- Shipping China (http://en.shippingchina.com)
- Example Domain (http://www.example.com)
* By the time you reach this post, some of the mentioned websites might have managed to transfer to HTTPS. For more examples refer to this list.
10. Why Do Some Websites Still Use HTTP?
With the higher levels of security and advantages of using HTTPS at no cost, there is no real reason why websites keep using plain HTTP.
Here we identify some reasons why some websites are still using HTTP:
- The website doesn’t have or ask for private information from its visitors.
- The website started on HTTP and has been abandoned or no longer maintained.
- The HTTPS is installed but the website team hasn’t finished migrating all HTTP pages to HTTPS.
- The website is just meant to run on HTTP, such as the first website and Example.com.
11. How Do I Secure an HTTP Site?
The main problem with HTTP protocol is that its data is not encrypted.
If you are a visitor to an HTTP website, you can’t do anything to protect your connection and interactions with the website. The only thing you can do is to strongly avoid submitting personal or sensitive information to this website.
Securing an HTTP website is the responsibility of the website owner, and can be easily done with HTTPS.
Using HTTPS is the only possible and right way to address the security issues of HTTP requests.
With HTTPS, even if the connection was intercepted by third parties, attackers won’t be able to read, steal or alter any information. This is mainly because HTTPS data are encrypted with a strong hashing algorithm and then validated when received by the web server.
Thanks to free SSL/TLS certificates provider, having HTTPS nowadays is much easier and can be totally free. We have prepared a list of available providers for free HTTPS certificates. Please refer to this article for more details.
Free SSL Certificates: Alternatives to Let’s Encrypt [Compared]
Having an HTTPS certificate is the first thing website owners should consider for their websites. It is of paramount importance to secure visitors’ data and protect their privacy. HTTPS is also an effective factor to prove trust and authority for the website and its content.
Conclusion
HTTP is the protocol that controls the connections between systems on the internet. It defines how two parties should speak to each other and how messages between them are structured.
In this article, we have discussed the security concerns of HTTP websites and what can be done to avoid losing any sensitive information when visiting them.
To sum up:
- HTTP is the communication protocol between web servers and clients.
- HTTPS is more secure than HTTP.
- HTTP protocol is not encrypted, its data is represented in plain text.
- HTTP is not secure and was not designed with security in mind.
- The problem is not the HTTP itself, but that HTTP data is not encrypted.
- HTTP is safe if we don’t submit private information.
- Both HTTP and HTTPS websites can be hacked.
- There are some websites still using HTTP.
