Short answer, main differences:
- HTTPS supports encryption, so the information exchanged between (usually) the browser and the server is not intelligible by other parties;
- HTTPS supports authentication, so the browser can make sure he's talking to the right server and not to a server that's pretending to have another identity. Vice-versa is also possible but
rarely used.
HTTP connections are neither encrypted nor authenticated.
Long answer: check these results on google.
-- TMTOWTDI
| [reply] |
not to nitpick, but...
HTTP connections are neither encrypted nor authenticated
Not true. HTTP supports optional authentication
mechanisms, and RFC 2617 covers two of
them: Basic authentication and Digest authentication.
Whether you trust the former, or whether your current
browser implements the latter, is of course another
story ;)
| [reply] |
You're talking about a protocol feature that allows a
client to submit a username/password pair to the server.
I was talking about the underlying
SSL mechanism that allows a client to verify the server's
identity using certificates (very simplified).
-- TMTOWTDI
| [reply] |
HTTPS is HTTP encapsulated in a SSL/TLS (Secure Socket Layer/Transport Layer Security) stream. This means that the stream is encrypted using a symmetric cipher for privacy. A MAC (Message Authentication Code), which is a one-way hash of the message, is used reliability and authentication.
See RFC 2246 if you're interested in the actual workings of TLS or RFC 2068 for details on HTTP/1.1 (note that these are the actual protocol specifications, so they're quite long and very technical) | [reply] |
