What is The Difference Between HTTP and

HTTPS?
Cyber Security, Security Testing

Saturday January 1, 2022

Many of you might be accustomed to HTTP:// or HTTPS://. But what do they mean? What is
the Difference Between HTTP and HTTPS?

Let’s have a look at the topic HTTP vs HTTPS in detail.

What is HTTP?

 HTTP stands for Hypertext Transfer Protocol. They are a set of rules which govern
the transmission of any information on the World Wide Web.
 HTTP also sets the standard rules for the servers, and web browsers to communicate
with each other.
 HTTP, built on top of TCP; is an application layer network protocol.
 HTTP is an application layer protocol. It transfers information between networked
devices.
 HTTP works on top layers of the network protocol stack. HTTP flow includes a
client machine that sends a request to a server and gets a response message in return.
 HTTP is known as stateless protocol as every command is independent and executes
separately. It does not require the reference of any previous command that is
executed.

Sample HTTP Request

GET /index.html HTTP/1.1

Host: www.ABC.com
User-Agent: Chrome/5.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html*/*
Accept-Language: en-us
Accept-Charset: ISO-8859-1,utf-8
Connection: keep-alive
<blank line>

Sample HTTP Response

HTTP/1.1 200 OK
Date: Thu, 24 Jul 2008 17:36:27 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 1846
<html>
…
</html>

Also Read: What does your company cyber system need vulnerability Assessment?

What is HTTPS?

 HTTPS stands for HyperText Transfer Protocol Secure. As the name suggests it’s a
more secured and advanced version of HTTP.
 For Data Communication HTTPS uses port no. 443. To enhance the security of all the
transactions, HTTPS encrypts all the communications that are done with SSL.
 HTTPS is a mix of HTTP and SSL/TLS protocols.
 HTTPS works by establishing a secure encrypted link between the browser and the
server by providing provides two-way security of Data.
 It safeguards your potentially sensitive data from various threats.

Sample HTTPS Request

request(‘https://example.com/url?a=b’, function (error, response, body) {
if (!error && response.statusCode == 200) {
console.log(body);
}
});

Features exclusive to HTTPS

HTTPS takes an upper hand on HTTP, and there are a few features that are exclusive to
HTTPS. Some of them are:

 GeoLocation: geolocation enables to find the user location and this feature is
exclusive to HTTPS only.
 Web push notifications: Web Push notifications are another feature that is exclusive to
HTTPS only.
 PWA – Progressive Web App: this very impressive feature allows you to convert your
website into an Android mobile app. It is available only on HTTPS.
 GetUserMedia: HTTP puts a limitation on users by not allowing them to use a
camera/microphone.

What are the major differences between HTTP and HTTPS?

1. HTTP does not have any advanced security mechanism whereas HTTPS offers higher
security with SSL or TLS Digital Certificate that provides security to all your
communication that takes place between server and browser.
2. By default HTTP works on port 80 and HTTPS works on port 443.
3. Another major difference lies in that HTTPS runs at Transport Layer whereas HTTP
runs at the Application Layer.
4. Data in HTTP is transferred as plain text and data in HTTPS is transferred as
encrypted text.
 5. When talking about their speed, HTTP takes a front seat with being faster as HTTPS
consumes more time in encryption.

Now let’s talk in terms of the advantages and disadvantages of HTTP and HTTPS.

First, let’s discuss the advantages of both HTTP and HTTPS:

Advantages of HTTP

1. HTTP has the advantage of being executed with other protocols on the networks
2. It is not dependent on Runtime support
3. HTTP pages are faster to access as they are directly stored on computer and internet
caches and do not require any encryption.
4. It allows cross-platform porting
5. It can be used over Firewalls.
6. HTTP is platform-independent
7. Global applications are possible
8. It is not Connection Oriented

Advantages of HTTPS

1. Generally, all the sites running on HTTPS, redirect themselves automatically. Even if
your type HTTP://, it will be redirected to HTTPS.
2. It is used for all secured transactions that allow users like online banking.
3. It uses SSL technology to protect users. Each SSL contains unique, authenticated
information about the certificate owner.

Disadvantages/limitations of HTTP vs HTTPS

Since we have had a glimpse of the advantages of both HTTP and HTTPS, let’s have a look
into their limitations.

Disadvantages of HTTP

1. It provides less or no privacy as content is visible to everyone.

2. It uses no encryption method and hence the content can be altered by anyone. In short,
it provides no security.

Disadvantages of HTTPS

1. Though HTTPS provides security, it cannot secure the cached pages on the browser.
2. There is no security to the data in the browser memory.
3. HTTPS is slower.
4. It enhances the computational overhead.
5. It increased the network overhead

Difference between HTTP and HTTPS.

Parameter HTTP HTTPS

Protocol It is a hypertext transfer It is a hypertext transfer
 protocol. protocol with security.
It is more secure and used for
It is less secure. Anyone can
Security secure transactions like
read and edit content.
banking, etc.
Port Port 80 is the default port Port 443 is the default port.
HTTP URLs begin with HTTPS URLs begin with
Usage
HTTP:// https://
It is generally used for a It is used for websites that
Used in website that is focused more on require security like banking
information purposes like blogs websites.
The data is encrypted before
It does not encrypt data while being transferred and is again
transferring it. The information decrypted at the receiver’s end.
Encryption
is transferred as it is and hence Since the data is in encrypted
is more vulnerable to threats form there are fewer chances of
any security threats.
Uses HTTP for transmission,
Protocol It operates at the TCP/IP level. with an enhanced TLS/SSL
connection for better security
Validations No validations are required It requires an SSL certificate
Data encryption No encryption Uses encryption to secure data
It does not have any effect on
Search search. It does not play any role It improves the search ranking.
in improving search ranking.
It is faster than HTTPS, as no It is slower than HTTP, as time
Speed time is consumed in encryption is consumed in encryption and
and decryption decryption of data
Vulnerability It is very vulnerable to hackers It is less vulnerable to hackers.

Also read: Top 10 Vulnerability list released OWASP that can harm your company

What is an SSL Certificate?

Commonly called a TSL, an SSL certificate is a digitally bind-key that contains crucial
information about an organization.

After installation of SSL certificates set a padlock that indicates a safe web connection with
the PC and the web server connected to it.

SSL certificate helps in encrypting internet traffic and verifies the server identity.

The information included in the SSL certificate

 The domain name for which the certificate was issued for
 For whom was the certificate issued to
 Digital signature of the company
 The authority which issued this certificate
 Issue date
 Subdomains that are associated with the company
  The expiration date of the certificate
 Public key

Why do you need an SSL certificate?

 SSL has the ability to encrypt communication happening between two internet entities
so that privacy can be maintained
 SSL ensures that information is sent to the right server. Pretenders who are waiting to
exploit can be avoided because of this
 SSL icon is a trust symbol and will drive users to access the website

Types of SSL/TLS certificate used with HTTPS

Let’s look into the different types of SSL/TLS certificates used with HTTPS

1. Domain Validation: It validates Domain name ownership.

2. Organization Validation: It validates the owner’s identity.
3. Extended Validation: It validates Domain name validation, owner identity, and
business registration proof.

Things to know before switching from HTTP to HTTPS

There is a mad race for switching from HTTP to HTTPS, and that is for a good. After all,
HTTPS offers many benefits over HTTP.

But switching from HTTP TO HTTPS is a tricky task. Though the process might seem
simple, it involves a lot of cautionary measures.

There are a few things that you should remember while switching from HTTP to HTTPS.

How to Convert HTTP to HTTPS

 The first step is to get an SSL certificate

 Next, you will have to install it on the website’s hosting account
 In the next step, you have to configure the 301 redirects. To do this you will have to
alter the .htaccess file that is seated in the root folder
 The last step is updating the robots.txt file and notifying the search engines about your
switch.

This process might seem very easy, but it is not as easy and straightforward as it appears.

You can ease out your work by taking the help of Service providers to configure SSL
certificates.

Though it might incur an additional cost, it might save you from a lot of hassle. Also,
remember a few things before switching from HTTP to HTTPS:
  Informing the search engines about you switching from HTTP to HTTPS
 For any resources, you can prefer using the relative URLs
 Make sure that your HTTPS site is reachable through robots.txt
 Don’t forget to keep an eye on your site before and after switching from HTTP to
HTTPS and keep track of the changes.

SEO Perspective of HTTPS

In recent times, website owners do everything to improve their SEO ranking as it is one of the
very important features for any website to remain in the never-ending race to rank higher on
search engines.

Websites strive to be listed on the first page of search engines. And one of the tactics to
improve the ranking is to switch on to HTTPS, as HTTPS helps in improving SEO ranking
whereas HTTP does not.
Why do you need HTTPS for creating AMP pages?
HTTPS is essential for creating AMP (accelerated mobile pages). AMP is truly an innovation
by google to load web content as swiftly as possible on mobile devices.

When it comes to baking good rank in SERP and gaining the trust of Google HTTPS plays a
pivotal role.

HTTPS serves as an important tanking signal as well as a crucial part of cybersecurity.

How does HTTPS authenticate web servers?

Authentication verifies if a system or person is What they claim to be. HTTP does not
support identity verification.

HTTP works on priority rather than security. But with increasing security risks,
authentication becomes important.

The private key confirms the server ID like an ID card confirms any person’s ID.

When a user navigates through a website its key is authenticated to ensure that the server is a
legitimate host. It prevents a number of attacks like:

 On-path attacks
 DNS hijacking
 BGP hijacking

How to add HTTPS to your website?

SSL is basically a text file with encrypted messages in it.

You can buy it from your hosting service and install it on your server so that communications
happen between your server and the entity.

Along with an SSL certificate, you also need to install an intermediate certificate that can
help in establishing trust in the SSL certificate by tying it to the authority root certificate

In HTTPS, how does TLS/SSL encrypt HTTP requests and responses?

TLS uses public-key encryption. Via the server’s SSL certificate, the public key is shared
with client devices.

When the connection is set between the client and the server, ends uses, private key and
public key to reach an agreement with session keys. It is used to encrypt the communication
between two devices.

The HTTP requests are encrypted using session keys, making the whole communication
secure.

Which one is better when we compare HTTP vs HTTPS?

The answer is clear when it comes to HTTP vs HTTPS.

HTTPS provides added security, it is definitely an added advantage if your website includes
some sensitive information as well as in SERP ranking.

What is OWASP? Top 10 OWASP

Vulnerabilities
Cyber Security, Security Testing

Thursday November 26, 2020

Came across the name OWASP many a time but do not know what is OWASP? Every 3-4
years, OWASP Top 10 Security Vulnerabilities release help businesses/web applications that
are commonly exploited by hackers and offer recommendations for tackling these attacks.
As a security professional or a business owner, you would want to look into this list as it acts
as an awareness document to better understand your current security approach and posture to
become better equipped to determine and mitigate these security threats.
The latest edition of Top 10 Security Vulnerabilities by OWASP was released in 2017.
Therefore, one can expect the new edition to be released sometime next year in 2021.
But what does the 2021 version hold? What security threats one can expect in the future for
their web applications? Let’s discuss the top 10 security vulnerabilities of 2021.
What is OWASP? what does owasp stand for
(OWASP) The Open Web Application Security Project it’s a nonprofit organization that is in
pursuit of a noble deed to protect web-related applications from cyber attacks. They have
strong community support to facilitate such a tedious task. Through conferences, online
newsletters, journals, etc. they are also educating people on how to keep people their
business secure.
#1 Broken Authentication
Under OWASP’s Broken Authentication category, it focuses on default or weak passwords.
This has always been a major problem for all types of web applications. It is believed that
weak passwords are still going to be a significant security vulnerability in 2021.
Hackers have got their hands on advanced GPU technologies, which allows them to easily
break weak passwords, even if the passwords use strong ciphers. They use brute-force attacks
nowadays to break passwords.
It is also found that administrators aren’t really vigilant about teaching users password best
practices. Many enterprises are following the worst policies and systems for password
selection. They only focus on uppercase and lowercase, special characters, and numbers, and
not on password length itself.
On the other hand, users are often forced to change their passwords frequently by the
administrators, which causes them to use insecure passwords. All they do in the name of
changing passwords is adding a predictable number or character at the end of the previous
password.
So, it is extremely important to follow good password habits in order to secure web
applications in an organization.
#2 Injection
Injection flaws are another great security vulnerability that might continue in 2021. They can
lead to disastrous and undesirable results. Injection flaws may include file system injections,
LDAP injections, SQL injections, and many more. Some of these flaws are so severe that
they can even lead to remote code execution.
Injection flaws happen when web applications take in users-supplied data in the form of a
search or field query and pass it onto the server or backend database without a thorough input
validation check.
Thus, it becomes easy for the hackers to craft a string in an attempt to exploit the web
application. The sad part is that without sufficient input sanitization, the query is executed on
the server.
Organizations need to use tried and tested remediation techniques like using a combination of
output escaping, stored procedures, parameterized queries, and whitelists for server-side input
validation.
Another measure they can take is to use database controls like LIMIT for preventing mass
disclosure in the event of a well-executed injection attack.
#3 XML External Entities (XXE)
XML External Entities is a type of attack that takes advantage of the XML parsers in a web
application that might execute and process some payload like an external reference in the
XML document.
It was a new type of attack that web applications experienced and surfaced 6-7 years back.
According to OWASP, XXE replaced CSRF (Cross-Site Request Forgery), which was
present in the 2010 and 2013 editions of the report.
Over the years, it has been observed that XXE vulnerability in XML processing is steadily
increasing its traction. As a result, it has become more severe for web applications.
In case if a hacker modifies or adds these external entities in an XML file, pointing them to a
malicious source, it can lead to an SSRF attack or a denial of service (DoS) attack. The worst
part is that these flaws can scan internal systems, extract data, and run port scans, among
other malicious activities.

#4 Sensitive Data Exposure

Sensitive Data Exposure is still going to be a big web application vulnerability in 2021.
Sensitive data, such as user credentials, health records, and financial information, among
other things, have never been safe. They are the primary target of hackers.
Thus, they should be kept hidden in visible as plaintext or should be encrypted. If not,
attackers could easily gain access to confidential information by deploying man-in-the-
middle (MitM) attacks for stealing the data in transit.
In the last couple of years, exposure to sensitive data/information has become increasingly
common. As a result, there has been a significant rise in data breaches. In the majority of
cases, the information in these exposed databases was not encrypted.
This is a big worry for organizations because finding exposed databases is not a big deal for
professional web application vulnerability scanners. According to security experts, one way
to tackle this issue in the future is to enforce encryption and use standard algorithms and
proper key management.
#5 Security Misconfiguration
This type of security vulnerability applies to all security risk factors that are not triggered by
a programming error but a configuration error. Under Security Misconfiguration, there lies a
wide range of potential security issues, such as outdated software and lack of operating
system hardening. The worst part is that these issues extend to the webserver.
While security misconfigurations can be easily spotted using a web application vulnerability
scanner, dealing with it can be a lot tougher. Using default configurations, neglecting to
upgrade or patch systems, overlooking verbose error messages leaking confidential data, and
misconfiguring security headers can all increase the risk of this vulnerability.
According to experts, security misconfiguration can also be a part of network security. So, it
can pose a major threat to web applications in 2021 if overlooked. Thus, it is important that
organizations update configurations, review all permissions, and install patches.
Also Read: How Much Does Penetration testing cost?
#6 Broken Access Control
Under OWASP’s Broken Access Control category, it covers situations leading to issues like
insecure direct object references and forced browsing. The sad news is this type of
vulnerability cannot be identified by any kind of automated tool. Therefore, this could be one
of the biggest security vulnerabilities of 2021.
An automated tool can detect the lack of proper authorization; however, one cannot guess
whether certain unauthorized functionality is made available to the user or whether the
account of a specific user should have access to certain resources. This is because the
vulnerabilities can only be judged by a human.
These vulnerabilities can go unnoticed until manual penetration tests are performed. Thus,
organizations need to re-use and implement access control checks throughout their web
applications.
#7 Insecure Deserialization
Insecure Deserialization was only added to OWASP Top Security Vulnerabilities in the 2017
edition. So, this is relatively a new type of security threat that organizations are still getting
accustomed to.
Insecure deserialization occurs in specific cases and refers to the conversion of serialized
information back into objects usable by the web application. It is a type of attack on web
applications where the data objects are tampered with, causing serious consequences like a
remote code execution or a denial of service (DoS).
The best way to prevent this issue is to stop accepting serialized objects from malicious or
untrusted sources.
#8 Cross-Site Scripting (XSS)
Cross-Site Scripting or XSS is one of the most common vulnerabilities affecting web
applications. It works in a way that the hacker injects a script into the page output of a web
application. This tricks the web browser into believing that it is part of the page and
ultimately runs the script.
The attacker executes this attack by sending an email to the user with a malicious link,
making it seem like the email is coming from a trusted source. Once the user clicks to open
the link, the script is executed in the user’s web browser. This way, the attacker can easily
steal confidential data, including user credentials, session cookies, and even deliver malware.
The best way to counter this issue is by using frameworks like the latest Ruby on Rails that
helps in filtering out XSS by design.

#9 Insufficient Logging and Monitoring

Organizations fail to log events that are of interest to them regarding their web applications.
This leads to data breaches. Insufficient logging and monitoring is a security vulnerability
because it gives hackers plenty of time to wreak havoc on your web applications.
For organizations, it is important that they ensure all suspicious activities like input validation
failures, access control failures, failed logins, etc., are addressed and logged to determine
malicious accounts.
#10 Using Components with Known Vulnerabilities
This is a type of vulnerability that OWASP defines as putting too much trust in 3rd-party
codes. The libraries of that code can be rigged, causing serious issues in your web
application.
Thus, organizations need to constantly scrutinize sources like CVE in the components. Also,
it is important to monitor patches and version updates for both server and client-side
components along with their dependencies.
Final Words
These vulnerabilities have always been there. It is up to the organization how they deal with
such issues to protect their web applications. Knowing these flaws ahead can give you an
opportunity to prevent any severe disaster.

7 Types of Security Testing

September 07 09:06 2020 by Nataliia Vasylyna Print This Article

Nowadays, software users are highly concerned about the security of the data they store
online. At the end of the day, there is a high possibility that hackers would try to steal it.

This is why cybersecurity is a de facto standard for organizations that value their reputation
and customer trust.

What is security testing?

The security assessment is one of many different types of software testing. It enables
validating security across all layers of the software and detecting system loopholes.

Software security tests are indispensable whenever significant changes are made to systems
or before releasing new applications into a live production environment. It is also crucial to
integrate security testing into the product development lifecycle and retest the product
periodically.

There is a globally recognized awareness document that lays the foundation for software
security. The OWASP Top Ten is a list of the most critical cyber vulnerabilities that may lead
to system failures and exposure of sensitive data. Modern security testing methodologies are
rooted in guidance from the OWASP testing guide

What are the types of security testing?

 Vulnerability scanning
 Security scanning
 Penetration testing
 Risk assessment
 Security auditing
 Ethical hacking
 Posture assessment
Vulnerability scanning

This type of security testing involves the detection of system vulnerabilities through
automated software. Vulnerability scanners examine web apps from the outside to identify
cross-site scripting, SQL injections, command injections, insecure server configuration, etc.

The drawback of vulnerability scanning is that it can accidentally cause a system crash if
mistakes for an invasive activity.

Security scanning

Security scanning aims to assess the general security level of the system by detecting weak
points and loopholes. The more intricate the system or network is, the more complicated the
security scan has to be. It can be done as a one-time check, but most software development
companies prefer performing security scanning on a regular basis.

Penetration testing

Pentesting is the imitation of a cyberattack to check for exploitable vulnerabilities. The two
most common forms of penetration testing are application penetration testing that aims to
detect technical vulnerabilities and infrastructure penetration testing which examines servers,
firewalls, and other hardware.
Risk assessment

A security risk assessment is a process of identifying and implementing key security controls
in software. It also focuses on preventing security defects and vulnerabilities. A
comprehensive security assessment allows organizations to create risk profiles for networks,
servers, applications, etc., assess their criticality regarding business operations, and apply
mitigating controls based on assessment results.

Security auditing

Security auditing is the process of testing and assessing the security of the company’s
information system. A security audit allows verifying the adequacy of the implemented
security strategy, uncovering extraneous software, and confirming the company’s compliance
with regulations.

Ethical hacking

The term “ethical hacking” stands for the act of intruding into the system to detect
vulnerabilities before a malicious attacker could find and exploit them. Ethical hackers may
apply the same methods and tools used by their malicious counterparts but with the
permission of the authorized person – they are also expected to report all the vulnerabilities
found during the process to the management.

Posture assessment

A cybersecurity posture indicates how resilient the information security environment is when
it comes to cybersecurity, and how well the enterprise can defend itself against cyberattacks.
Posture assessment provides an overall view of the organization’s security posture, what gaps
currently exist, and what steps need to be taken to for improvement.
Conclusion

There is no one-size-fits-all solution with software security – except for regular testing.
Leverage this opportunity to demonstrate to your customers that data security is your priority.

QATestLab offers a combination of advanced methodologies and an experienced team able to

assess the security of web applications, web services, and mobile applications using the latest
tools and techniques. Learn more about why every enterprise needs security testing on our
website.