HTTPS vs HTTP: What Security Does HTTPS Add?
Learn what HTTPS adds over plain HTTP — encryption, integrity, and server authentication via TLS — with networking interview Q&A.
Expected Interview Answer
HTTPS is HTTP layered on top of TLS, adding encryption, integrity, and server authentication that plain HTTP has none of — meaning HTTPS traffic cannot be read or silently altered in transit, while HTTP traffic can be eavesdropped on or tampered with by anyone on the network path.
Plain HTTP sends requests and responses as cleartext, so any intermediary — a public Wi-Fi hotspot, an ISP, or a malicious proxy — can read cookies, form data, and page content, and can even inject or modify content in flight. HTTPS wraps the same HTTP semantics inside a TLS session: the TLS handshake authenticates the server using a certificate signed by a trusted certificate authority, and all subsequent HTTP messages are encrypted and integrity-checked with the session keys derived during that handshake. This protects against passive eavesdropping (someone reading your traffic) and active tampering (someone rewriting your traffic), and the certificate check protects against impersonation, so a browser can trust that example.com’s certificate really belongs to example.com. Browsers now mark plain HTTP sites as 'Not Secure' and modern web features like service workers and geolocation require HTTPS, making it the effective default for any site handling user data.
- Encrypts request/response bodies so eavesdroppers cannot read them
- Provides integrity so traffic cannot be silently modified in transit
- Authenticates the server via a CA-signed certificate, preventing impersonation
- Required by browsers for modern APIs and marked as trusted, unlike plain HTTP
AI Mentor Explanation
HTTP is like shouting match instructions across an open field where anyone nearby can hear or even fake a call, while HTTPS is like using a sealed radio channel between the captain and the umpire that only they can decode. On the open field, a rival could overhear the plan or shout a fake instruction that players mistake for the real one. With the sealed channel, every instruction is scrambled so only the intended receiver understands it and any tampering is instantly detectable, exactly like HTTPS encrypting and integrity-checking every HTTP message.
Step-by-Step Explanation
Step 1
Plain HTTP request
Without HTTPS, requests and responses travel as readable cleartext over the network.
Step 2
TLS handshake
HTTPS first establishes a TLS session, authenticating the server via a CA-signed certificate.
Step 3
Encrypted HTTP
The same HTTP request/response is then sent encrypted and integrity-checked inside the TLS session.
Step 4
Browser trust indicator
Browsers show a lock icon for HTTPS and flag plain HTTP sites as Not Secure.
What Interviewer Expects
- Explains HTTPS is HTTP over TLS, not a separate protocol
- Names the three protections: confidentiality, integrity, authentication
- Understands plain HTTP is vulnerable to eavesdropping and tampering
- Knows browsers require HTTPS for modern web APIs and mark HTTP as insecure
Common Mistakes
- Thinking HTTPS only encrypts the password field, not the whole request
- Believing HTTPS makes a site immune to all attacks, including XSS
- Confusing the padlock icon with a guarantee the site content itself is trustworthy
- Not knowing HTTPS also verifies server identity, not just encryption
Best Answer (HR Friendly)
“HTTP sends your data across the internet in plain, readable text, so anyone in between — like on public Wi-Fi — could see or tamper with it. HTTPS wraps that same data in encryption and verifies the website is who it claims to be, similar to sending a sealed, signed letter instead of an open postcard. That is why browsers show a lock icon for HTTPS and warn you when a site is not secure.”
Code Example
# Plain HTTP: headers and body are sent in cleartext
curl -v http://example.com | head -n 5
# HTTPS: connection is wrapped in TLS before any HTTP data is sent
curl -v https://example.com 2>&1 | grep -E "SSL connection|subject:"
# * SSL connection using TLSv1.3
# * subject: CN=example.comFollow-up Questions
- What happens if a certificate is expired or self-signed and untrusted?
- Does HTTPS protect against every type of web attack, such as XSS?
- What is HSTS and how does it prevent HTTPS downgrade attacks?
- Why is HTTP/2 typically only deployed over HTTPS in practice?
MCQ Practice
1. What underlying protocol does HTTPS add to plain HTTP?
HTTPS is HTTP transmitted over a TLS-encrypted connection.
2. Which of these is NOT provided by HTTPS?
HTTPS secures the transport channel but does not prevent application-level vulnerabilities like XSS.
3. Why can plain HTTP traffic be modified by an on-path attacker?
Without TLS, HTTP has no encryption or integrity protection, so intermediaries can read or alter it.
Flash Cards
What is HTTPS? — HTTP transmitted over a TLS-encrypted, authenticated connection.
What does plain HTTP lack? — Encryption, integrity checking, and server authentication.
How does HTTPS authenticate a server? — Via a certificate signed by a trusted certificate authority, verified during the TLS handshake.
Does HTTPS stop all attacks? — No — it secures the transport channel but not application-layer flaws like XSS or SQL injection.