Three terms we commonly hear when discussing information security over the web are HTTP, HTTPS, and VPN. Let us compare these three methods.
Consider the steps to write the address on an envelope in the U.S in English. The first line is the recipient’s name. The next one or two lines have the street address. The next line has the city, state, and zip code. This format is an example of a protocol. Anyone who wants to send a letter knows how to address it so others understand where it is to go. Anyone handling the letter knows how to interpret the information the sender put on it.
Just as we use languages and protocols to communicate, so do computers. HTTP (hypertext transfer protocol) is a language or protocol that computers use to exchange information over the web. Any computer sending information over HTTP formats it so that receiving computers know how to correctly interpret what was sent.
Imagine you work from home and your colleagues work at an office building. You use public mail delivery to exchange documents with your colleagues. You slip a memo inside a large clear plastic envelope that is addressed to Pat in Accounting. The postal carrier picks up the envelope from your home. The mail service uses public roads to deliver the envelope to Accounting and it then is routed to Pat. The mail service brings any information for you in clear plastic envelopes.
Sending information over the internet using HTTP is akin to the above arrangement. The web address specifies where to send information or an inquiry. Your internet service provider is the mail service.
Using HTTP means that your internet provider or anyone else who has a way of seeing your information (like someone who is listening in on your internet connection) can read the information you are exchanging. The information is in English and they can see which web pages you are visiting, as well as the information you are exchanging with these pages.
HTTPS stands for hyper text transfer protocol secure. It adds a security mechanism to HTTP. Let us return to the office scenario to understand the benefit of HTTPS.
Suppose you need confidentiality. So you begin to write your information using a secret code. This code is known to Accounting but not to others. Now any third party with access to your envelope simply knows that you are sending information to Accounting. They cannot make sense of the envelope contents.
Using HTTPS is similar to the arrangement above. Your internet provider or any third party who accesses your information may see which websites you are visiting. It sees neither the information you are exchanging (because this information is encrypted) nor the individual web pages you visit within the website.
The distinction between HTTP and HTTPS matters because not all sites, and not all pages within a website use HTTPS. Your information may be intercepted when you use HTTP.
Your browser will tell you whether you are using an HTTP or HTTPS connection. Below is an image of the address bar of Google Chrome web browser showing an HTTPS connection to website amazon.com, and an HTTP connection to website imdb.com:
Notice that the HTTPS connection is shown as secure with a green lock, and it shows the https in the address bar. The i in a circle instead of the lock indicates that the connection is not secure. If you go the address bar to copy the www.imdb.com address and then paste it, you will see the pasted text to be http://www.imdb.com/.
HTTPS uses encryption to achieve security. Let us look at an example of encryption to see how it works.
Suppose you want to send your credit card number to your friend by email. You agree beforehand that you will add 2 to each digit of your credit card number. Your credit card number is 1234 1234 1234 1234 and you send 3456 3456 3456 3456. Your friend knows that you have added two to each digit so they subtract two from each digit to decrypt what they receive and obtain the correct number.
What you have done above is a very basic form of encryption. Encryption uses a secret code to modify information that is being sent so that it is difficult for anyone who does not know the secret code to decrypt and understand what was sent. A website that supports HTTPS uses an advanced technique to encrypt data that is exchanged with that website.
VPN stands for virtual private network. The interest in VPNs went up with policy changes that allow internet service providers to keep track of and sell information about its users' internet usage. Let's see how VPNs protect against that change.
The internet is a shared network. Your internet information travels over WiFi and/or cables and fibers that are shared by many users. Some of these users have the skills to listen in on information that is going over these information pathways.
Suppose you lay down a private cable between your office building and your home. Now you have a private network or connection between your office and your home. It is harder for someone to access your information now because they don't have access to your private cable.
A VPN tries to mimic this private network without laying down a private cable. Let’s return to the office scenario to see how a VPN works.
Suppose you learn to your discontent that mail service is keeping record of your mailing practices and selling it to vendors. You contact a private delivery service that promises not to keep records. The private service has you send any mail to its office using its encryption method. It then uses its own envelope and return address to send your information to Accounting via the mail service. Accounting uses mail service to send any information intended for you using the address of the private service, which then mails it to you using its encryption. Now your information is exchanged in a secure manner and the mail service does not have information about your mailing practices.
A VPN provider is similar to that private service. You install VPN software on your computer. You enter a web address in the address bar of your browser as you ordinarily would. The VPN software controls all internet traffic going in and out of your computer. It takes the web address you entered into your browser and sends it encrypted to its VPN server (a host computer that is maintained by the VPN company). This host computer then connects to the desired website on your behalf. It collects the response of the website and sends it back encrypted to your computer. The VPN software installed on your computer decrypts this response and displays it in your web browser. So you don’t exchange information with websites directly, and it all goes through your VPN. Your internet service provider cannot know or sell your browsing information.
VPN offers the following benefits over use of HTTPS:
Many employers provide a VPN connection to their employees to allow them to connect with the company network from outside the office building. There are multiple companies that offer a private VPN service.
HTTP is an insecure protocol used to exchange information over the web. Anyone with access to what you send can see all information you exchange. HTTPS is safer because it encrypts the information you send via a web browser. Third parties can now only see which sites you visit. A VPN mimics a private network and protects even internet information that is sent without using a browser. All information you send goes securely through the VPN service provider. Thus even your HTTP connections are protected at your end, and your internet service provider does not have access to your web usage.