What is HTTP
Http stands for hypertext transfer protocol which means it can transfer the text from one to another computer using a network. As we know HTTP transfers the text without any encryption. To know why you should not fill forms on non-https websites, then first you should know how https works.
With Http, the network owner or interceptor can easily monitor the traffic packets and see the information behind it.
Whenever you submit any form on a website that does not use https then the browser sends the data as it is without any encryption.
If you want to know how a browser sends a request to the server, see the example of the POST request below.
Suppose you enter an email address and password in a form and hit the submit button.
Then what goes behind the scenes?
The browser sends the request to the server like this.
POST /api/2/users/login/ HTTP/1.1
Host: example.com Content-Length: 48 Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/app/login.html Accept-Language: en-US,en;q=0.8,ca;q=0.6 Accept-Encoding: gzip email=emailusername%40gmail.com&password=qwerty123
A network interceptor can easily get the username and password from this request. That is how a man in the middle attacks also works.
If you want to try it out just download the Packet Capture app from google play store. And browse any non-https website.
Then monitor the traffic from this app. You will be able to easily view the data.
How https works
If I want to explain how https works then it will take too much time. So here I am explaining it in short that how a browser secures the communication.
Https uses an extra SSL layer for transporting data from a browser or app to the server.
There is a pair of a public and private key on the web server.
The browser initiates the trust by generating a session key.
First the server sends it’s public key to the browser.
Then the browser generates the session key and encrypts it with the public key.
The private key always kept on the server. Only the public key is shared with the browser.
After that browser sends the encrypted session key to the server and the server decrypts it with the private key.
Then the symmetric encryption takes over.
After that process every data you submit in forms encrypted with the session key between browser and server.
Now the network interceptor can only view data that is in encrypted form and he can not decrypt it as he or she does not has the private key of the server to decrypt the session key which is required to decrypt the data.
The detailed picture is shown below.
Finally thanks for reading “How https works and why you should not submit forms on non-https website”. Next read How to generate a free SSL Certificate for your website.