HTTP stands for Hypertext Transport Protocol. When You enter a URL in your address bar preceded by http:// it informs the browser to link to the site via HTTP. Subsequently, HTTP uses the Transmission Control Protocol (TCP) to send and receive data packets over the internet to load the site that you would like to access.
HTTPS stands for Hypertext Transfer Protocol Secure. When you enter a URL preceded by https:// it informs the browser to connect via HTTPS, which also uses TCP. However, it does so in a relationship encrypted by TLS.
Basically, it requires the HTTP protocol And just layers a TLS encryption layer on top of it. Servers and clients still communicate precisely the same HTTP to one another, but over a secure TLS connection that encrypts and decrypts their orders and answers.
The SSL layer has twill main functions :
It verifies that you're communicating directly to the server that you believe you're talking to, and It ensures that only the server can read what you send it and only you can read what it sends back.
What’s? So smart about TLS/SSL is that anyone can intercept the messages that you exchange with a server, such as those in which you agree on the key and encryption approach to use, but they still can not read any of the real data that is sent.
There’s some Latency added once you make the switch to HTTPS — the first TLS handshake requires two additional round trips before the link is established, in contrast to only one through an unencrypted HTTP port. However, as in the Google example I mentioned earlier, it is minimal.
In 2010, Google introduced False Start, a technique that reduced the latency of a TLS handshake by 30%. However, it abandoned the job a year later Since it remained incompatible with a high number of sites that used SSL terminators, which offload SSL processing from servers.
However, False Start is not completely dead — it works for websites on servers that support NPN expansion .
There Is also an encryption procedure between the server and browser where they exchange data using a procedure called asymmetric encryption. It builds a secure communications channel through which a session key is exchanged, allowing the server and browser to change to a faster encryption procedure called symmetric encryption.
Asymmetric Encryption is slower than symmetric encryption because of the former’s longer key lengths and the complexity of the encryption algorithms used. However, evaluations between encrypted and unencrypted connections show a difference of just 5ms and a peak increase in CPU usage of just 2%. With heaps of parallel requests and countless successive requests, the CPU usage throughout the tests never exceeded 5 percent.
Session resumption Greatly improves TLS functionality by remembering information from a formerly successful TLS session discussion to skip the most computationally intensive areas of the TLS session key negotiation.
TLS Provides two session resumption mechanics : Session IDs (where the client and server each store their own secret condition ) and session tickets (where the customer stores the server’s state, encrypted by the server).
In the case of session IDs, the host Needs to keep track of previous sessions which could be continued at a certain point in time. This leads to additional work for the server.
Session Tickets were introduced to correct the problem of big server caches. With session tickets, the host uses a key to encrypt session info before storing it on the customer. So the next time the client connects to the server, the server decrypts and reuses the session info. This means that the server can resume the sessions without any information and the extra load is done on the client.
Session Resumption using session tickets is a valuable technique for a whole lot of Motives — fewer round trips, fewer computations, and a reduce congestion Window without burdening your server.