HTTP vs HTTPS (for Hackers): The Locks, the Leaks, and the Lessons

Goose GustinGoose Gustin
3 min read

One of the first things you learn in cybersecurity is to read URLs like a paranoid detective. And right up front, you see it:

http:// or https://.

Seems simple - one has an “S” and the other doesn’t.

But as I’ve been learning, that “S” is doing a lot of heavy lifting — and for hackers, that difference matters.

It's not just an "S". It's a symbol of hope :)

🧠 A Protocol Primer (Without the Boredom)

HTTP (HyperText Transfer Protocol) is how your browser talks to websites.

You type a domain, hit enter, and — boom — the site loads.

But HTTP is like sending a postcard. Anyone along the way — your ISP, a hacker on the same Wi-Fi, a shady coffee shop router — can read what you wrote.

HTTPS (Secure HTTP) is that same postcard… but sealed in an envelope, written in code only the recipient can decode.

That encryption comes from SSL/TLS (Secure Sockets Layer / Transport Layer Security). It’s why HTTPS sites show a padlock icon.

💻 Why This Matters to Hackers

Hackers — even beginner ones — care about HTTP vs HTTPS because:

HTTP = Easy Sniffing: On unencrypted sites, tools like Wireshark or Burp Suite can capture credentials, cookies, search queries… basically anything. It’s how session hijacking, MITM attacks, and credential theft often begin.

HTTPS = Safer, Not Invincible: It doesn’t stop phishing, misconfigured headers, or vulnerable web apps. It just makes casual eavesdropping harder. Plenty of attacks still happen after the encryption ends — like XSS or SSRF.

Downgrade Attacks Exist: Some attackers try to force connections to fall back from HTTPS to HTTP. (Ever heard of SSL stripping?)

🧪 What I Tried (and Noticed)

I used DevTools to inspect a few sites. Typed http://example.com — noticed how it redirected to HTTPS. That’s HSTS (HTTP Strict Transport Security) in action. Good stuff.

Then I sniffed HTTP traffic from a deliberately insecure site (like bWAPP). I could see usernames and passwords fly by in plain text.

It was jarring. Like seeing someone yell their PIN across a crowded room.

🔐 Quick Things I Now Check on Sites

Do they force HTTPS?

Do they have HSTS headers?

Is there a valid SSL certificate? (curl -v https://example.com is handy)

Can I still reach them over HTTP if I try manually?

These small tests tell me a lot — and they’re often part of the recon phase in hacking.

🔁 TL;DR

HTTP is cleartext. Anyone can read your data.

HTTPS is encrypted, but it’s not a silver bullet.

As a hacker (or defender), you care about both, because the path data takes can reveal exposures or misconfigurations.

0
Subscribe to my newsletter

Read articles from Goose Gustin directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecurityinformation securityinfosechttphttps#CybersecurityJourney

Written by

Goose Gustin
Goose Gustin