Why HTTP is not Secure ?
Well everyone of us at least once come across the statement:
“Make sure abc website uses HTTPS before entering your private information.”
If yes then have you ever tried to find the reason behind this statement. Let’s find out the reason.
Before proceeding further two points must be clear-
- HTTP :
HyperText Transfer Protocol (HTTP) is the core communication protocol used to access the World Wide Web.
It uses a message-based model in which a client sends a request message and server returns a response message.
- HTTPS :
HyperText Transfer Protocol Secure (HTTPS) clearly it names indicate that this is an secure advancement of HTTP. It is basically the same application-layer protocol as HTTP but it is tunneled over secure transport mechanism.
The point to understand is that HTTP transfer data as plain text whereas HTTPS adds a encryption layer to data.
Now we have understand that HTTP does not encrypt our data while communication which means a attacker which is suitably positioned on the network can eavesdrop or look our data.
Let’s dive deeper!
To start our exploration we are using Linux machine and wireshark as packet analyzer tool (they are used for network analysis).
Firstly we have to setup wireshark to monitor all ongoing HTTP traffic for that we will enter the
following filter in wireshark to only get HTTP requests:
http && ip.addr == "ip address"
Now, we are able to monitor all ongoing traffic as shown in image:
You might be thinking that an attacker is only able to see your browsing but he can also get your credentials if victim try to login let’s see now visit a page and enter the credentials let say username =’test’ and password=’test’ then press login.When we switch back to wireshark and find that corresponding request we are able to see our entered username and password.
But, if we try to analyze packets for HTTPS request it doesn’t disclose any credentials due to encryption.
Always ensure that you are dealing with HTTPS especially when dealing with credentials or doing any type of transactions.