HTTP 80 vs HTTPS 443
Internet traffic is at risk because it relies on unencrypted transmission protocols, which are susceptible to eavesdropping by malicious actors. A solid grasp of data transmission is essential if you plan to take the Network+ exam in the future.
By far, the two most common transmission protocols are HTTP and HTTPS, which run on ports 80 and 443, respectively. Before diving too deep into different protocols, let’s ensure we understand the role of port 80.
What is Port 80?
Port 80 is home to the protocol we all know and love: HTTP (HyperText Transport Protocol). When a web browser such as Chrome or Firefox requests a web page from a server, it will do so over port 80 (or port 443–but we’ll get to that later). As you can imagine, port 80 is vital to the internet.
The Importance of Port 80 to the Internet
With respect to the OSI model, HTTP (and subsequently port 80) is Layer 7 of the OSI model, but how does it interact with lower levers? Let’s dig into that.
Is Port 80 TCP or UDP?
Port 80 uses TCP (Transmission Control Protocol) to communicate. TCP is a safe, reliable protocol for transmitting data over the internet. TCP relies on a three-way handshake to ensure every packet of data is received by the intended target. A three-way handshake can be thought of as the following dialog:
Sender: “Hey! I need to sync up with you.”
Receiver: “Ok, great. I acknowledge the sync. Ready when you are.”
Sender: “Sounds good. I acknowledge that you have acknowledged. I’ll begin transmitting data…”
If any portion of the communication breaks down, then the packet is resent until the three-way handshake is complete. So we know port 80 is reliable. Now, let’s determine whether it is secure.
Is Port 80 Encrypted?
The important thing to remember here is that ports are not inherently encrypted. However, they can utilize protocols to encrypt them. Think of a port as a door. Doors are not inherently secure, but you can easily put a lock on the door. Therefore, a lock protocol will make your door secure.
Bearing that in mind, HTTP is the default protocol for port 80, which is an unencrypted protocol.
Why Use Port 80?
Port 80 is helpful for loads of reasons. The primary reason is receiving internet traffic. If you’re a software developer, port 80 is a great way to test website functionality without dealing with the complexities of encryption. Port 80 can be used in load balancers. Traffic will come into the load balancers via port 80 and then be distributed among the shared servers.
There is a big caveat here to port 80: do not use port 80 on your public website. It will affect your SEO ranking, meaning your site will be lower on Google search results.
The final use of port 80 is to redirect an unencrypted URL to an encrypted one on port 443, which is the topic of our next section!
What is HTTPS Port 443?
Port 443 is the default port for HTTPS (HyperText Transport Protocol Secure), the secure version of HTTP. While browsing the internet, you may notice a padlock to the left of the web address. That padlock indicates the site uses HTTPS. That means the data transmitted to and from the server will be much more difficult to intercept.
What Does It Mean That HTTPS is Encrypted?
Encrypted means that the data transmitted is not identifiable to those who are listening to the port, or sniffing out the packets with WireShark. When a session between a server and a node is first initiated, a key is exchanged between them. This key is used to encrypt data before transit and then decrypt it upon final destination.
This process is done through asymmetric encryption, which involves a public key and a private key. The private key is stored on the server, while the public key can be given to whoever needs to do business with the server.
Think of it like a safe. A message can be placed into the safe and locked by anyone with the public key. However, it can only be opened by the one who has the private key. That’s how asymmetric encryption — and consequently HTTPS — works.
What is an HTTPS Certificate?
This all ties into the annual certificate renewal required for all HTTPS-compliant websites. Whenever a new certificate is generated, it contains only the public key, while the private key is stored on the server.
Whenever you visit an HTTPS site, the public key is extracted from the certificate and used by the browser to initiate a secure session. During TCP handshake, the client and server generate a session key. Then, everything in the session is decrypted in the server with the session key.
Port 443 and SSL/TLS
TLS works similarly to TCP. It uses a three-way handshake to establish a path of communication — but with one important difference. TLS uses symmetric encryption with keys created at the outset of the handshake, as opposed to HTTPS’s asymmetric encryption scheme.
These keys are used to encrypt and decrypt messages. Furthermore, each packet has an HMAC attached to every message, generated using a cryptographic hash function and a secret key. The recipient uses this HMAC to verify that the packet has not been tampered with and to ensure the integrity and authenticity of the message.
What Port Can Be Used Instead of 443?
Technically, HTTPS can be used on any port. Port 443 is the default port for the HTTPS protocol, so that is what everyone uses. Since it is such a common protocol, it makes life easier by having a port that we all know to be associated with HTTPS.
Also, firewalls are set up with the assumption that port 443 will be set up with HTTPS. So, if you send an HTTPS connection via port 444, a firewall will probably block it anyway.
At the end of the day, using port 443 for HTTPS is your best bet.
Next, let’s compare each of the ports side by side.
Port 80 Vs. 443
The most important thing to remember about port 80 vs 443 is that port 80 is unencrypted, and port 443 is encrypted. Port 80 is unencrypted because it is the default port for HTTP, an insecure transfer protocol used to retrieve web pages. Port 443 is secure because it uses HTTPS, which does the same thing as port 80, except securely.
What's the Main Difference Between Port 80 and 443?
As alluded to before, the main difference between port 80 and 443 is the latter is encrypted, while the former is not.
However, another important difference is that each one uses a separate transfer protocol to send packets. HTTP uses TCP, and HTTPS uses TLS – which is a secure form of TCP. With all that in mind, are port 80 and port 443 the same? In a word, yes — but let’s elaborate.
Are Port 80 and 443 the Same?
Port 80 and 443 are the same, in essence. Both of them were created to exchange messages on the internet. If HTTP were a bridge, then HTTPS would be a covered bridge. They both accomplish the same goal of allowing cargo and people to cross a river — but the latter is a bit more sneaky about it.
Security Vulnerabilities of Port 80 and Port 443
It is always good to review security vulnerabilities when deciding to use a technology. While port 80 and 443 may be ubiquitous today, there are certainly security vulnerabilities of port 80 and port 443 that should be considered.
HTTPS Security Vulnerabilities
While HTTPS does provide a significant level of security to its users, there are still some precautions to consider. Here are four vulnerabilities to keep in the back of your head while using HTTPS:
Expired and/or Invalid TLS Certificates: Expired certificates can increase the chance of interception of data and general loss of reputation for the certificate holder. If someone can’t keep their certificates up-to-date, they may be lapsing elsewhere.
SSL Stripping: A hacker can try and downgrade the HTTPS connection to HTTP, thus decrypting the traffic.
Man-in-the-Middle (MitM) Attacks: A hacker can intercept data by posing as an intermediary website to steal data. This is especially easy if the certificate has expired.
Insecure Redirects: Many sites will automatically redirect an HTTP site to an HTTPS URL. If this is done incorrectly, then a malicious actor could exploit that vulnerability and intercept data.
One thing to remember is that none of these vulnerabilities have to do with the encryption itself. When considering HTTPS, it's important to remember that ensuring foolproof security requires attention to the initial setup, ongoing maintenance, and vigilant traffic monitoring. Now, let’s move on to HTTPS’s insecure cousin, HTTP.
HTTP Security Vulnerabilities
HTTP is not secure, so there are quite a few things to consider when implementing it, including:
Data Tampering—Since the data is in plain text, a malicious actor can intercept and change the data before it arrives at its destination.
Injection Attacks—Cross-site scripting is far easier when the line is insecure. That’s because HTTPS checks data packages to verify they are coming from the intended origin; HTTP does no such thing.
Content Injection—A hacker can add CSS or HTML into your web browser by intercepting and tampering with packets.
Public Wi-Fi risk—A malicious actor can read your data, and everyone else’s in a public setting.
As opposed to HTTPS, the vulnerabilities with HTTP are serious and are attributed to the protocol itself, not to its mismanagement. It is critical in this day and age to use HTTPS whenever possible.
Is HTTPS Completely Secure?
Yes. HTTPS is secure. The only thing that makes it unsecured is human error or negligence. It is important to note that no technology is “totally secure.” There is also a possibility an exploit will be found, like heartbleed.
Final Thoughts: Port 80 vs. Port 443
Port 80 versus port 443 is one of the most interesting aspects of prepping for the Network+ exam. Both of them are used so often in our everyday lives that we barely even notice.
However, as stated earlier, it is important to do due diligence when establishing any HTTPS, especially any HTTP connection. Now that you understand HTTP protocols well, reviewing network topologies as a whole might be beneficial to understand their actual flow. Happy networking!
Not a CBT Nuggets subscriber and want to prepare for the Network+ exam? Sign up for a 7-day free trial today.
delivered to your inbox.