Is there any difference between HTTP and HTTPS when using my home / own internet connection
TLS provides three things:
- Confidentiality: that nobody can see the traffic between you and
facebook.com
(including the guy at the next table at Starbucks, your ISP, some sketchy network equipment in the datacentre COUGH NSA, nobody). - Integrity: that nobody is modifying the messages as they travel between you and
facebook.com
(this is separate from Confidentiality because some kinds of attacks allow you to modify the message in a malicious way even if you don't know what the messages are). - Authentication: that you are talking to the authentic
facebook.com
server, not a spoofed version of it.
The basic idea what I got from them is, when using https all things are encrypted in client side and then sent it to the server. (Please correct me if I am wrong)
That covers the confidentiality and integrity parts, but you're missing the authentication part:
To prove that you're not talking to a spoofed web server.
Say I set up a phishing version of Facebook and I somehow hack into your home router (easy) or ISP (harder) so that when you type facebook.com
it resolves to my IP address instead of the real one. I've created an exact copy of the login screen you expect and you'll enter your username and password. Muahaha! Now I have your username and password.
How does HTTPS prevent this? Answer: with Certificates:
If we open up the certificate in my browser's Dev Tools > Security, we'll see this:
DigiCert is what's called a Publicly-trusted Certificate Authority (CA). In fact, DigiCert is one of the CAs that your browser inherently trusts because its "root certificate" is embedded into your browser's source code. You can see the full list of trusted root CAs by digging around in browser Settings and looking for "Certificates" or "Trusted Roots" or something.
So, your browser inherently trusts DigiCert, and, through this certificate, DigiCert has certified that the server you are talking to is the real facebook.com
(because it has the private key that matches the certificate). You get the green padlock and you know that everything is good.
Just for fun, let's make a fake facebook.com
. I added this line to my hosts file so that any time I type facebook.com
it will redirect to google.com
's IP address:
209.85.147.138 facebook.com
Google, what'cha doing trying to steal my facebook password?? Thank goodness HTTPS is here to protect me! My browser is super unhappy because the certificate it was presented (for google.com
) doesn't match the URL it requested (facebook.com
). Thanks HTTPS!
Short answer:
HTTPS intends to establish a secure connection between a registered website and its user computer, so you can be sure, that the visited site is really what you wanted to visit, and the data is not acquired/altered in transit.
Long anser:
If I understood you correctly, your basic idea is, that only a network admin can monitor your activity, and there is no such thing at home. This is not the case.
Any individual, group, company(ISP) or state can see and alter the transit, and by that infect your computer. The internet nowadays is rather a cyberwarzone, where the mentioned entities often attack even their allies to steal information=money=power, gain control, threaten or physicall injure people through hacking. Even state tools are available for individuals on the black market. Persistent tools/malware survive changing the hard drive, so they can monitor/harm you in long term.
The problem with https is, that it can be also hacked many ways, thus it gives you a false sense of security, which might be more dangerous.
This is why it is important to use https, whenever you can, and care about system security too. You can download extensions for browsers to automatically direct you to HTTPS sites, when it is possible.
The other answers so far are good. I'll add one more angle: The Internet is a loosely connected mesh of routers; your home wifi router is only one of them. Any HTTP connection you make to a web server elsewhere on the net typically takes a path through a dozen or so routers to get there. That path changes frequently depending on network conditions; you can't predict whose routers you will be using. Each of these routers is owned and managed by a different person or company[1].
All of those people have the ability to watch your data as it goes past. They might do this on a routine basis, in non-malicious situations, during the course of everyday troubleshooting, because that mesh of routers needs constant monitoring and administration to keep it running at all; this effort encompasses several career fields alone. (The people who choose these career fields tend to be rather adamant about good security and tend to take their social responsibility seriously, but the only thing keeping them out of your data in a practical sense is their own conscience and reputation.)
So the equipment, software, and capability is already there; all a bad guy has to do is co-opt someone else's router or monitoring system.
HTTPS connections take the same path, but because they are encrypted, only the web server's administrator can see the cleartext content; the router administrators will only see what looks like random noise. (The web server itself might be compromised, but that's a different problem.)
[1] Playing with the traceroute
or tracert
command yourself will give you a glimpse of what these paths can look like.