Every Website Uses One of These Two Protocols
Every time you visit a website, your browser communicates using either:
- HTTP
- HTTPS
At first glance, they seem nearly identical.
You type a URL.
The webpage loads.
Everything appears normal.
Yet beneath the surface, the difference is enormous.
One sends information in plain text.
The other protects data using modern cryptography.
That single extra letter — S for Secure — fundamentally changes how information travels across the internet.
Understanding that difference becomes much easier when viewed through the lens of the OSI Model.
What Is HTTP?
HTTP (HyperText Transfer Protocol) is the foundation of the World Wide Web.
It defines how:
- Browsers request resources
- Servers respond to requests
- Web applications exchange information
HTTP operates at:
Layer 7 — Application Layer
It provides the rules that allow browsers and servers to communicate.
A Simple HTTP Request
When you visit a webpage, your browser sends a request that looks similar to:
GET /page.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html
This request tells the server:
- Which resource is needed
- Which website is being accessed
- What type of content the browser can handle
The server then responds with the requested content.
Simple.
Fast.
And historically very successful.
The Problem with HTTP
HTTP has one major weakness:
It does not encrypt data.
Everything remains readable while traveling across the network.
If someone gains access to the communication path, they may be able to view:
- Usernames
- Passwords
- Messages
- Search queries
- Cookies
- Personal information
In the early days of the internet, this wasn't considered a major concern.
Today's internet is very different.
We use websites for:
- Banking
- Shopping
- Healthcare
- Government services
- Business communication
Sending sensitive information in plain text is no longer acceptable.
How HTTP Travels Through the OSI Model
An HTTP request moves down the OSI stack like any other data.
Application Layer
↓
Transport Layer (TCP)
↓
Network Layer (IP)
↓
Data Link Layer (Ethernet/Wi-Fi)
↓
Physical Layer
The problem?
The HTTP content remains readable throughout the journey.
Anyone intercepting the traffic can inspect the contents directly.
Enter HTTPS
HTTPS stands for:
HyperText Transfer Protocol Secure
At its core, HTTPS is simply:
HTTP + TLS
The web application behaves exactly the same.
The difference is that communication becomes encrypted before it leaves the device.
This encryption protects information from interception and tampering.
What Is TLS?
TLS stands for:
Transport Layer Security
It is the security technology responsible for protecting modern web traffic.
TLS provides:
- Encryption
- Authentication
- Data integrity
Without TLS, HTTPS would not exist.
Where TLS Fits in the OSI Model
Conceptually, TLS belongs to:
Layer 6 — Presentation Layer
This makes sense because TLS transforms data before transmission.
It changes readable information into encrypted ciphertext.
The Application Layer still generates HTTP requests.
The Presentation Layer encrypts them.
Then the encrypted data moves through the lower layers.
The HTTPS Process Step by Step
Before encrypted communication begins, the browser and server perform a TLS handshake.
This process establishes trust and creates encryption keys.
Step 1: Client Hello
The browser initiates communication.
It sends:
- Supported TLS versions
- Supported encryption algorithms
- Random values used during key generation
Step 2: Server Hello
The server responds with:
- Selected TLS version
- Chosen encryption method
- Digital certificate
Step 3: Certificate Verification
The browser verifies the server's certificate.
This confirms the server is genuinely who it claims to be.
For example:
example.com
must actually belong to the legitimate owner of that domain.
Step 4: Session Key Creation
Both sides generate a shared secret encryption key.
This key will protect the remainder of the session.
Step 5: Secure Communication Begins
Once the handshake completes:
- Requests are encrypted
- Responses are encrypted
- Intermediaries cannot read the contents
Communication becomes secure.
What Happens If Someone Intercepts HTTPS Traffic?
Imagine an attacker captures network packets.
With HTTP, they may see:
Username: alice
Password: mypassword123
With HTTPS, they see something more like:
8F 2A 91 4B D7 11 3C...
The data still travels through the same routers, switches, and cables.
The difference is that the contents are unintelligible without the encryption keys.
HTTP vs HTTPS Through the OSI Model
The best way to understand the difference is layer by layer.
| OSI Layer | HTTP | HTTPS |
|---|---|---|
| 7 – Application | HTTP Request/Response | HTTP Request/Response |
| 6 – Presentation | Plain Text | TLS Encryption |
| 5 – Session | Session Management | Session Management |
| 4 – Transport | TCP Port 80 | TCP Port 443 |
| 3 – Network | IP Packet | IP Packet |
| 2 – Data Link | Ethernet/Wi-Fi Frame | Ethernet/Wi-Fi Frame |
| 1 – Physical | Raw Bits | Raw Bits |
Notice something important:
Only the upper layers change.
The lower layers continue functioning normally.
Routers, switches, and physical cables don't care whether the payload contains plain text or encrypted data.
They simply transport it.
Port Numbers: 80 vs 443
HTTP and HTTPS commonly use different TCP ports.
| Protocol | Default Port |
|---|---|
| HTTP | 80 |
| HTTPS | 443 |
When you enter:
https://example.com
your browser typically connects to port 443.
For:
http://example.com
it usually connects to port 80.
These ports help the destination server determine which service should process the request.
Why Modern Websites Redirect to HTTPS
Today, virtually all reputable websites enforce HTTPS.
Reasons include:
Security
Protects sensitive user information.
Privacy
Prevents eavesdropping on browsing activity.
Integrity
Stops attackers from modifying content in transit.
Trust
Modern browsers warn users when websites are not encrypted.
SEO Benefits
Search engines generally favor secure websites.
The Padlock Icon Explained
Most browsers display a padlock symbol next to secure websites.
The padlock indicates:
- TLS is active
- The certificate is valid
- Communication is encrypted
It does not automatically guarantee the website itself is trustworthy.
A malicious website can still obtain a valid TLS certificate.
The padlock only confirms secure communication.
Comparing HTTP and HTTPS in the OSI Model Simulator
One of the best ways to understand encryption is to observe it visually.
The Roboticela OSI Model Simulator allows you to run:
- An HTTP simulation
- An HTTPS simulation
and compare them side by side.
You'll see how:
- The Application Layer remains largely unchanged
- TLS behavior appears at the Presentation Layer
- Lower layers continue functioning identically This visual comparison makes the role of encryption immediately obvious.
Landing Page:
https://osi-model-simulator.roboticela.com
Launch Simulator:
https://app.osi-model-simulator.roboticela.com
Try running both protocols back-to-back and watch where the communication paths begin to diverge.
Key Takeaways
- HTTP is a Layer 7 protocol used for web communication.
- HTTP sends data in plain text.
- HTTPS combines HTTP with TLS encryption.
- TLS conceptually operates at the Presentation Layer.
- HTTPS protects confidentiality, integrity, and authentication.
- HTTP typically uses TCP port 80.
- HTTPS typically uses TCP port 443.
- Modern websites overwhelmingly rely on HTTPS for security.
Conclusion
HTTP made the web possible, but HTTPS made it safe.
By introducing TLS encryption into the communication process, HTTPS protects data as it travels across networks, routers, switches, and physical media.
Viewed through the OSI Model, the difference becomes remarkably clear: the lower layers remain largely unchanged, while the Presentation Layer transforms readable information into secure encrypted data.
In the next article, we'll explore another critical Application Layer protocol: DNS, the system that translates human-friendly domain names into the IP addresses computers actually use.
Top comments (0)