To understand that, we must first understand how data communication happens over the web. At its most primitive level, the web consists of the following components –
The Client is usually the web browser (i.e. Chrome, Firefox, etc.), a piece of software which allows us to interact with or browse the web. It’s usually installed in the device.
An internet connection is what allows the user to connect to the internet- to access the content of the web or to reach out to any one of the 1,766,926,408 websites available on the world wide web. It is provided by Internet Service Providers (ISP).
A web server is a device or program which hosts a website, allowing sharing of resources, computation, etc.
When a user enters the domain name of the website they need to visit, for example, wordpress.com in the client (web browser), the web browser sends a request to the domain name server (DNS), which converts the domain name of the website into the IP address of the computer that hosts that particular website. Having the IP address, the client then forwards the request to the host itself to return the webpage.
A protocol is a rule that standardises communication between two systems. Hypertext Transfer Protocol or HTTP is the underlying protocol of the world wide web. It defines how messages (the requests and responses) must be transmitted across the web and it specifies how servers and clients must respond to the various requests they receive. Roughly, HTTP can be understood as the language clients and servers interact in. But what does HTTP say about securing transmission? If it is a common language, won’t anyone in the connection know who’s saying what?
The solution to this problem is HTTPS, with the S being for Secure. This is the secure version of HTTP as any data transmitted over HTTPS is encrypted. Encryption means that the sender and receiver have agreed upon a particular codeword, without which any intercepted data would make no sense. There are various encryption techniques such as using a key or rearranging the data to a string of random characters, to be arranged only by anyone who knows the logic behind the arrangement or the codeword. This ensures that even if the connection is compromised, the data transmitted is not.
To achieve this encryption, HTTPS uses a security protocol known as SSL (Secure Sockets Layer). The client and server use a document called the SSL certificate, which is basically a string of characters. It acts as the key to the encryption technique being used. Thus, when an HTTPS connection is requested, the website first sends an SSL certificate to the client. The client uses the public key on the SSL certificate to initiate a reliable and a secure connection.
Although HTTPS is a secure connection, it is not always required. HTTP does not mean the website is insecure, only that data transmitted can be read by anyone on the connection. That is, if a user is simply browsing the web or reading a blog, HTTP is enough. But when passwords and other sensitive information is to be entered, HTTPS is the way to go.