HTTPS and VPN have one thing in common: they encrypt your data to provide secure communications over the Internet. However, many people believe they must choose between HTTPS and VPN. In this article, we are showing you how the two technologies work together harmoniously to bring you the best possible online privacy and security.
Check out today’s topics in the list below (click to jump):
- What is HTTPS?
- What is VPN?
- Differences between HTTPS and VPN
- What about HTTPS vs. VPN?
- What about using HTTPS and VPN together?
- What about using HTTP and HTTPS over VPN?
- In conclusion
What is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) supersedes HTTP and facilitates secure communications on the web. It primarily focuses on authentication to protect the online privacy and integrity of the data packets transferred via HTTPS.
Initially, websites used HTTPS to provide shielded payment transactions online. The only time when HTTPS pages crossed your path was while shopping and checking banking details. Corporations applied HTTPS in classified emails and transactions.
In 2014, Google was among the first companies to pull the trigger and start using HTTPS as the default protocol, thanks to its security features. In 2019, a security researcher reported that 51.8% of the one million most visited sites redirect visitors to HTTPS.
How HTTPS works
TLS (Transport Layer Security) is the cryptographic protocol in charge of encrypting HTTPS traffic. TLS supersedes SSL (Secure Sockets Layer) and is typically known as SSL/TLS. As such, HTTPS is also called HTTP over SSL, HTTP over TLS, or HTTP over SSL/TLS.
HTTPS takes advantage of two-way encryption. It means that it uses the same algorithm to encrypt the plaintext and decrypt the ciphertext. As such, HTTPS defends client and server connections from tampering, eavesdropping, and man-in-the-middle attacks.
HTTP vs. HTTPS
Two key differences between HTTPS and HTTPS are:
- HTTPS address names start with https:// and use port 443 over TCP by default.
- Meanwhile, HTTP addresses start with http:// and use port 80 over TCP by default.
HTTP does not benefit from the same encryption features as HTTPS. It is not encrypted at all. Subsequently, Internet users who access HTTP sites unwillingly expose themselves to hacker surveillance and man-in-the-middle attacks.
For instance, cybercriminals can monitor your HTTP traffic. They can find out what websites you are visiting, what accounts you use to sign in those pages, and what your credit card details are. It is why all banking sites now use HTTPS. Hackers can also modify the websites you access to inject adware, spyware, ransomware, viruses, Trojans, or other types of malware.
Some sites are accessible in both HTTP and HTTPS modes. When this happens, you should always opt for HTTPS since it is the safest option.
How to tell if a site uses HTTPS
As we previously mentioned, URLs start with either https:// or http://. You can easily discover this by taking a look at the address bar of your web browser. Here is how it looks like on Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Edge, Opera, and Safari.
- In Google Chrome, the https:// prefix is not visible in the address bar. But there is a lock symbol next to the URL. Clicking it reveals site information, such as Connection is secure and Certificate (Valid).
- HTTP links are not preceded by http:// either. Instead, you can notice the Not secure label. Clicking the label opens a small area with site information, like Your connection to this site is not secure, followed by a description.
- In Mozilla Firefox, the https:// prefix can be seen in the address bar. It is accompanied by a green lock that, once clicked, shows the site information like Secure connection and Verified by: DigiCert Inc.
- It is not so easy to spot HTTP addresses because they do not begin with http://. But you can click the i (information) symbol to view site details like Connection is not secure (highlighted in red).
- In Internet Explorer, it is visible that HTTPS websites start with https://. There is also a lock at the right of the address bar. Clicking the lock turns it yellow and opens the security report with This connection to the server is encrypted.
- HTTP pages do not have locks or security reports. But they stand out because they begin with http://.
- In Microsoft Edge, https:// is noticeable at the beginning of each HTTPS address. There is also a lock symbol near it. If you click the lock, you can find out more info about the site, including Your connection to the server is encrypted.
- On the other hand, HTTP addresses are not preceded by http:// like in Internet Explorer. But you can click the i (information) symbol to see Be careful here, along with Your connection to this site is not encrypted.
- In Opera, it is not visible that HTTPS sites begin with https://, but each address has a green lock. If you click the lock, you can check out various site data, like Connection is secure and Certificate (Valid).
- Not even HTTP links start with http://. But they have a Not secure label that, once clicked, reveals Your connection to this site is not secure (highlighted in red), followed by a description.
Our website, FindYourVPN, is secured with HTTPS. It can be easily noticed by taking a look at the address bar, as can be seen in the screenshots below. This means that your connection to any pages hosted on FindYourVPN is protected from hackers, thanks to end-to-end encryption. We cannot decrypt your data traffic either.
How to always use HTTPS
To enable secure connections, you can install tools that force your browser to always connect to HTTPS pages. Here are some examples:
- HTTPS Everywhere is a browser extension available for Firefox, Chrome, and Opera. It was developed by the Electronic Frontier Foundation and the Tor Project. The tool redirects you to the HTTPS counterpart of an HTTP page, if it exists. It offers an excellent solution for overcoming situations when sites open HTTP pages by default. Moreover, you can disable unencrypted requests.
- Smart HTTPS is similar and can be installed on Firefox, Chrome, and Opera. This addon gives you the possibility to create a whitelist and blacklist so that you can allow your browser to load trusted HTTP sites.
- SSL Enforcer is a desktop client that works with Windows and macOS systems. Once installed, it enforces HTTPS connections on all applications, including browsers and email clients. It auto-switches to HTTPS pages if they exist, and you can configure it to block HTTP pages.
What is VPN?
VPN (Virtual Private Network) is a technology used to create a secure tunnel between your computer and the public Internet. By doing this, it keeps your online traffic safe from your ISP, government, marketing agencies, and any other third parties interested in collecting and processing details about your online profile.
Unlike HTTPS where the site owner integrates SSL to ensure safe connections, VPN falls to the responsibility of each Internet user. A VPN service protects not only your browser communications but also all your software programs with web access.
How VPN works
The VPN client reroutes your data packets to its secure servers and individually wraps each piece of information into an encrypted layer. The encrypted layers are then safely transferred over the public Internet. Even if a hacker obtains the data packets, they would not be able to decrypt it.
After the encrypted layers reach the designated destination, the VPN server decrypts them to deliver the original message in an unencrypted format. It repeats this process for all sent and received messages until you disconnect from the VPN client.
Differences between HTTPS and VPN
Both HTTPS and VPN are technologies designed to help Internet users maintain their privacy. However, they act in different ways. Here are the main differences to know about HTTPS and VPN:
Who is in control
Only the administrator of a website can set SSL certificates. You cannot pick which site should implement HTTPS, nor force the site owner to do this. At best, you can make a suggestion.
Adding a browser extension to always use HTTPS does not change anything in the site’s code. It only switches from HTTP to HTTPS if it already exists, as well as disable access to HTTP pages.
On the other hand, each Internet user can choose if they want to use a VPN. You can select your favorite VPN service and connect to a server. To enjoy secure browsing, your VPN should remain running.
A site owner cannot impose visitors to use or not use VPN. Only governments can demand ISPs to block access to certain sites if they suspect VPN traffic. But you can get around this by hiding the fact that you are using a VPN.
Application support and price
It is not necessary to install special software to use HTTPS. All you need is a reliable web browser that correctly identifies SSL certificates on visited pages. It must also allow HTTPS pages. Since web browsers are free to use, HTTPS is free, too.
VPN client apps must be installed to be able to use the VPN service. Otherwise, you can download manual configuration files to set up VPN on your router, desktop or smartphone. Regardless of the method used, it means establishing a relationship with a VPN provider, whereas HTTPS involves a web browser only.
Although there are free VPN services, we do not advise using those due to high-security risks. Unfortunately, the Internet is filled with many VPN scams that collect and store your data, thus compromising your HTTP traffic. Instead, you should pick a premium VPN service. But it is not free.
Protocols and ports
HTTPS is a protocol that uses port 443 over TCP. VPN is not a protocol but a network that can handle various VPN protocols when connecting to the Internet, including port 443 over TCP.
For example, if your VPN application uses the OpenVPN protocol, it can route your VPN traffic through TCP using port 80, 110, 443, 501 or 502. Alternatively, you can switch to UDP with port 53, 1194, 1197, 1198, 8080 or 9201.
Hiding your IP address
Although HTTPS uses end-to-end encryption to conceal the data you exchange with an HTTPS site, it cannot hide your IP address and spoof your location. Your ISP cannot find out what you are doing on the web, but they can tell that it is you. Also, HTTPS does not help you sidestep government censorship.
On the other hand, a VPN service does not only encrypt your information but also mask your IP address and keep your location a secret. Your ISP cannot tell who you are. Instead, all they see is an IP address provided by your VPN. However, you still risk leaking your sensitive data like email credentials or credit card info over HTTP, even if you use VPN.
Range of protected applications
Being cautious about secure communications means paying attention to the visited sites so that you always choose HTTPS in favor of HTTP. In this case, HTTPS protects you as long as you use a web browser.
On the other hand, a VPN client that you downloaded and installed secures your entire range of Internet-enabled software: web browsers, email clients, VoIP desktop clients, and so on.
Some tools, like WhatsApp and Viber, have end-to-end encryption. Others like Facebook Messenger and Instagram Direct do not benefit from this security feature. Therefore, it is crucial to protect your online privacy with a VPN.
VPN traffic can be blocked
If you are one of the unlucky Internet users who lives in a country with strict laws against VPN usage, then you might already know how VPN data can be blocked. There are multiple methods for detecting VPN traffic, like using Deep Packet Inspection (DPI).
The one who is watching cannot see what you are doing online, just the fact that you are routed through VPN. Because users turn to VPN services to bypass firewalls and view forbidden content, it is no wonder that some governments order ISPs to block VPN traffic.
However, ISPs do not block HTTPS traffic because the government understands and accepts the fact that many Internet users are simply concerned about their online privacy. The trick is to obfuscate VPN traffic to make it look like standard HTTPS traffic.
Encryption and trust
HTTPS ensures end-to-end encryption. It means that only you and the remote computer can read messages. Telecom providers, ISPs and governmental groups will not be able to access the cryptographic keys necessary for deciphering the message contents. You do not have to trust anyone that it will not divulge your secrets.
VPN encrypts data exchanged between your computer and the VPN server. Like in the case of HTTPS, third parties cannot see what you do on the Internet. However, your VPN provider can. It is why many services adopt a no-logs policy, assuring customers that their data is never stored. But there have been cases when such companies compromised a person’s identity despite their no-logs claim. Therefore, it remains a matter of trust when it comes to VPN.
HTTPS is vulnerable to an array of attacks affecting SSL/TLS, like root certificate, Heartbleed, DROWN, ROBOT, and KRACK. VPNs can help counteract this type of attacks.
The vulnerability of a VPN largely depends on the protocol and encryption mode used. For instance, PPTP and L2TP are weak protocols and expose you to a series of issues.
But most VPN services now use the OpenVPN protocol almost exclusively. Although OpenVPN suffers from some security vulnerabilities, too, they are quickly patched by the developers since it is an open-source project.
What about HTTPS vs. VPN?
There is no competition between the two since they are used for different things. HTTPS websites provide end-to-end encryption for web browsing while a VPN service protects all your Internet-capable applications.
Besides, you can access HTTPS sites or use a browser addon that enforces HTTPS connections even while connected to a virtual private network.
What about using HTTPS and VPN together?
By this point, you might think that it is enough to use HTTPS to protect your online privacy while browsing the Internet since it uses end-to-end encryption. However, HTTPS cannot guard you against DNS leaks because it cannot encrypt your DNS requests.
If a cybercriminal joins your Internet connection, they could analyze your DNS queries and the responses of your DNS resolver. This way, the hacker obtains the list of websites you visit, compromising your privacy.
Besides the fact that hackers can take advantage of your DNS leaks to keep track of your activity and steal your data, they could also impersonate your DNS resolver and attempt to redirect you to sites infected with malware. It is a process known as DNS poisoning. The fake sites may have valid SSL certificates. And it is quite challenging to detect hijacked HTTPS sites.
But all of this can be avoided by getting equipped with a reliable VPN service. Because it routes all your network traffic to its servers, the VPN protects you from cybercriminals.
What about using HTTP and HTTPS over VPN?
Here is what happens when you access HTTP and HTTPS websites while you are connected to a virtual private network client:
- HTTP over VPN: your connections are not encrypted, so the VPN provider can see what you are doing. This is why you should resort to a VPN service with no-logs policy.
- HTTPS over VPN: your Internet connection is encrypted. It means that not even your VPN provider can see the sites you visit, the files you download or the private conversations you have.
To be positive that your VPN provider does not have access to details about your online traffic when using HTTP, you should choose a VPN service that does not collect and store information about your VPN traffic.
Taking everything into account, HTTPS perfectly blends with VPN to bring you the best possible online privacy and security. There is no conflict between the two, so you can use them both with confidence. While HTTPS takes care of end-to-end encryption for web browsing, VPN hides your IP address and ensures protection for the entire computer.