What is it?
HyperText Transfer Protocol (HTTP) is the protocol used to transfer web pages. It is the “language” that an HTTP Server speaks and a Web Browser understands. HTTP does not include any security measures.
HyperText Transfer Protocol Secure (HTTPS) is exactly the same protocol, but with security added. All communications between the server and the browser (and back) are encrypted in HTTPS. HTTPS uses Transport Layer Security (TLS), previously Secure Socket Layer (SSL), to encrypt and decrypt the web page contents.
TLS requires a “certificate” that confirms that you are, in fact, who you say you are. There are a variety of kinds of certificates, ranging from free single site certificates up to organization-wide multi-site certificates.
Smashing Magazine (link below) provides an excellent explanation of the protocols and kinds of certificates. It’s a very long document, but you will skip large portions that do not apply to you.
Why is it a risk?
HTTP is pefectly fine for viewing static web pages that don’t contain anything confidential. The trouble comes when those web pages contain confidential information or contain forms that the user can fill and submit back to the server. Without security, bad actors can easily view the contents of those forms and pages. This might include user names and passwords if the web site allows users to log in.
For this reason, all but the most trivial of web sites should use HTTPS instead of HTTP.
How can you mitigate the risk?
Configure your HTTP Server to use HTTPS for all web pages. The Smashing Magazine article linked below provides step-by-step instructions for the most popular HTTP Servers (Apache, nginx and IIS).
Resources:
Smashing Magazine The Complete Guide To Switching From HTTP To HTTPS
https://www.smashingmagazine.com/2017/06/guide-switching-http-https/
