What is HTTP and HTTPS
HTTP stands for Hypertext Transfer Protocol. At it’s most basic, it allows for the communication between different systems. It’s most commonly used to transfer data from a web server to a browser in order to allow users to view web pages. It’s the protocol that was used for basically all early websites. HTTPS stands for Hypertext Transfer Protocol Secure. The problem with the regular HTTP protocol is that the information that flows from server to browser is not encrypted, which means it can be easily stolen.
How vulnerable http is
I will show you how vulnerable HTTP is in the below lab:
First, I logged on a BBS which does not do traffic encryption:
Open Wireshark to capture the traffic, we will see which one we will use in this connection.
We can see that the browser used the address 184.108.40.206, so we only need to focus on the connection between local pc and this site. Click in the text field after Filter, type "ip.addr==220.127.116.11".
Now is the TCP three handshake in the first few lines.
We can see the connection establish request (SYN) in line 1-6. (why there are 6 times request). Then the step 2 [SYN, ACK] acknowledge 1st step, and synchronize the connection parameters. Step3, acknowledge that both sides agree to establish the connection.
For the password transferred in http, which is plain text, you can easily find the password by looking for the Post action in the Info tab. Then check the HTML Form URL Encoded: application/x-www-form-urlencoded, there are some form item. you can find the username and password there.
And you can see that the username and password are all in plaintext !
Not only secure, you can also benefit from HTTPS:
- On top of security, Google itself has confirmed that HTTPS websites get a boost in search ranking. So a company like Melbourne City IT always recommend you deploy your website with HTTPS and migrate to it if you have not.
- Most browsers support HTTPS, which provides an enhancement over the old HTTP version of websites. When HTTPS is enabled, online users will experience faster browsing speed
To secure your website and protect your customer's info, the best practice is migrate to HTTPS, contact "Melbourne City IT" to discuss the most cost effective solution for your website security!