The Cryptographic Imperative: HTTPS vs HTTP

In the OSI model, traditional HTTP operates at the Application Layer, transmitting data in plaintext. This exposes the payload to MitM (Man-in-the-Middle) attacks via packet sniffing or ARP spoofing. HTTP means Hypertext Transfer Protocol while HTTPS means Hypertext Transfer Protocol Secure.

HTTPS vs HTTP Diagram

The TLS Handshake

HTTPS (HTTP over TLS) encapsulates the session within an encrypted tunnel. The process involves:

Asymmetric Encryption: Using RSA or ECC for the initial key exchange.
Symmetric Encryption: Utilizing AES-256 for the actual data transfer once the session key is established.
Hashing: Using SHA-256 to ensure data integrity (MAC - Message Authentication Code).

"Without TLS, your Set-Cookie headers are essentially public broadcasts."

Integrity & Authenticity

Beyond encryption, HTTPS provides Server Authentication. By validating the SSL/TLS certificate chain against Trusted Root Certificate Authorities (CAs), the browser confirms the server is who it claims to be, preventing DNS hijacking redirection.

Return to Snake Arcade homepage