6. Request data is unencrypted, and
servers don’t need to provide their
identity over HTTP
7. HTTP is unencrypted. The data can be
read by any intermediary.
HTTP request
Insecure wifi
Attacker can read the user’s
HTTP request and response.
“Hmm, looks like Eric is
interested in Twitter stock…”
I want to see a
webpage
nytimes.com/twitter-
stock-plummets/
8. HTTP is unencrypted. The data can be
read by any intermediary.
HTTP request
Insecure wifi
I wonder what a jorf is…
Log into my
WordPress site with
my username “eric”
and my password
“jorf”
9. HTTP request
I want to see a webpage
nytimes.com/index.html
An attacker can catch the
request (DNS Spoofing, etc)
HTTP doesn’t require server identification.
Any intermediary can spoof a request.
10. HTTP request
The attacker returns spoofed content of index.html
which says Russia bombed the U.S.
HTTP Response
HTTP doesn’t require server identification.
Any intermediary can spoof a request.
12. All data in the request is encrypted,
except the delivery address.
HTTPS request
Send to 182.23.194.39
Fwu3489fehu9fr93wehufu9ef89y3
hu9efhiufhr803
(encrypted request data)
I want to see a
webpage
nytimes.com/index.ht
ml
13. All data in the request is encrypted,
except the delivery address.
HTTPS request
Send to 212.39.10.88
sdfj83jof83hfajnksdc83hud08duh3
8dhe8y38h383
(encrypted response data)
HTTPS response
Here’s the
content of
index.html
14. HTTPS request
HTTPS is encrypted. The data can’t be
read by any intermediary.
Insecure wifi
Attacker can eavesdrop on the
encrypted conversation, but
doesn’t understand it.
Log into my
WordPress site with
my username “eric”
and my password
“jorf”
Send to 182.23.194.39
Fwu3489fehu9fr9ufu9ef89
y3hu9efhiufhr803
(encrypted request data)
15. I want to see a
webpage
nytimes.com/index.html
The attacker can’t spoof
the server’s identification.
HTTPS requires server identification.
An intermediary can’t spoof a request.
HTTPS request
16. Only the server with valid identification
can respond to the request.
HTTPS requires server identification.
An intermediary can’t spoof a request.
HTTPS request
HTTPS request
18. “What if I don’t care about security?”
• Google gives an SEO boost for HTTPS sites.
19. “What if I don’t care about security?”
• Google gives an SEO boost for HTTPS sites.
• Your site can be faster on HTTPS with HTTP/2,
which requires HTTPS.
20. “What if I don’t care about security?”
• Google gives an SEO boost for HTTPS sites.
• Your site can be faster on HTTPS with HTTP/2,
which requires HTTPS.
• New browser features and APIs limited to
HTTPS sites.