As a prescribed order and syntax used to send data between a web browser and a website, HTTP has seen substantial semantic changes: HTTP/1.0 vs HTTP/1.1. Its encrypted version HTTPS is more of a technical change designed to provide the security of data transfer.
How does HTTP Security work
Authentication
The HTTP authentication provides access control to pages and API resources by sending the authentication credentials in the Authorization header. For example, to retrieve JSON data, the client sends a GET request to the REST API endpoint with Bearer token in the authorization header.
The Bearer Authentication is one of the most widely used among other authentication schemes, such as:
- Basic Authentication with less secure Base64-encoded credentials;
- Digest Authentication with MD5 cryptographic hashing;
- HOBA Authentication based on Digital signature (HTTP Origin-Bound Authentication);
- The two-way Mutual Authentication with two parties authenticating each other at the same time.
HTTPS uses Certificate Authority (CA) to verify the identity of a distinct server and to issue a certificate. All root CA certificates have the digital signature generated using the certificate’s private key.
If the certificate is invalid, most browsers display a warning across the entire window along with security information of the site in the address bar. Older browsers in similar cases would ask in dialogue box whether the user wanted to continue.
Data protection
Servers and clients speak over a secure SSL connection that encrypts and decrypts HTTP requests and responses. With SSL connection, communicating parties use the agreed symmetric algorithm and keys (both public and private ones) to ensure the security of messages they are sending to each other. The public key is used to encrypt the symmetric key and send it securely to the server, and the server decrypts it with its private key.
HTTPS can fail
Wi-Fi network is still insecure for HTTP traffic, and a website can be vulnerable to workarounds that can make you send HTTPS traffic over insecure HTTP or deviate the rout completely.
Heartbleed vulnerability has affected half a million secure web servers. It was a failure in the software library providing applications with cryptographic services. Most websites have since corrected that bug.
In general, HTTP Security provides a reasonable assurance that one is protected from malicious interference while communicating on the internet.