How does a web browser know if destination is http or https?

Your browser remembers the port and protocol from previous interaction with the site.

Paypal uses HTTP Strict Transport Security. This means that the server had sent (perhaps via port 80) a response header including Strict-Transport-Security:max-age=63072000 before you even started looking. The age shown is in seconds. So for the next two years after a visit to port 80 the browser does not have to go to port 80 again; it should go to port 443. In fact subsequent visits to port 443 will receive the same instruction, so it applies indefinitely for people who use Paypal every year.

This is an improvement over the previous scheme where each request to port 80 got a redirect to port 443 which was slower. Relying on redirects was also less secure because the browser would not mind if Paypal (or rather a MITM attacker impersonating Paypal) suddenly converted from HTTPS to HTTP, if using redirects. Under HTTP Strict Transport Security, this kind of attack will end up much more conspicuous as the attacker would be forced to use HTTPS to talk to the browser, but they do not have access to any HTTPS server certificate issued to Paypal.

Tags:

Browser