Well everyone of us at least once come across the statement:
“Make sure abc website uses HTTPS before entering your private information.”
If yes then have you ever tried to find the reason behind this statement. Let’s find out the reason.
Before proceeding further two points must be clear-
- HTTP :
HyperText Transfer Protocol (HTTP) is the core communication protocol used to access the World Wide Web.
It uses a message-based model in which a client sends a request message and server returns a response message.
- HTTPS :
HyperText Transfer Protocol Secure (HTTPS) clearly it names indicate that this is an secure advancement of HTTP. It is basically the same application-layer protocol as HTTP but it is tunneled over secure transport mechanism.
The point to understand is that HTTP transfer data as plain text whereas HTTPS adds a encryption layer to data.
Now we have understand that HTTP does not encrypt our data while communication which means a attacker which is suitably positioned on the network can eavesdrop or look our data.
Let’s dive deeper!
To start our exploration we are using Linux machine and wireshark as packet analyzer tool (they are used for network analysis).
Firstly we have to setup wireshark to monitor all ongoing HTTP traffic for that we will enter the
following filter in wireshark to only get HTTP requests:
http && ip.addr == "ip address"
Now, we are able to monitor all ongoing traffic as shown in image:
You might be thinking that an attacker is only able to see your browsing but he can also get your credentials if victim try to login let’s see now visit a page and enter the credentials let say username =’test’ and password=’test’ then press login.When we switch back to wireshark and find that corresponding request we are able to see our entered username and password.
But, if we try to analyze packets for HTTPS request it doesn’t disclose any credentials due to encryption.
Always ensure that you are dealing with HTTPS especially when dealing with credentials or doing any type of transactions.
Attention reader! Don’t stop learning now. Get hold of all the important DSA concepts with the DSA Self Paced Course at a student-friendly price and become industry ready.
- Difference between Secure Socket Layer (SSL) and Secure Electronic Transaction (SET)
- Secure Socket Layer (SSL)
- Introduction to SSH(Secure Shell) Keys
- Secure Electronic Transaction (SET) Protocol
- Juice Jacking - Public USB charging ports are not secure
- Create your own secure Home Network using Pi-hole and Docker
- Trust Based Energy-Efficient and Secure Routing Protocols for IoT
- Difference between Secure Socket Layer (SSL) and Transport Layer Security (TLS)
- HTTP Cookies
- HTTP Full Form
- Difference between SOAP and HTTP
- Session Management in HTTP
- Difference between http:// and https://
- Difference between HTML and HTTP
- Difference between HTTP and IPFS
- What are the differences between HTTP, FTP, and SMTP?
- Difference between AMQP and HTTP protocols
- Difference between MQTT and HTTP protocols
- Difference between File Transfer Protocol (FTP) and Secure File Transfer Protocol (SFTP)
- HTTP Non-Persistent & Persistent Connection | Set 2 (Practice Question)