Today's internet is very different.
We use websites for:
- Banking
- Shopping
- Healthcare
- Government services
- Business communication
Sending sensitive information in plain text is no longer acceptable.
How HTTP Travels Through the OSI Model
An HTTP request moves down the OSI stack like any other data.
Application Layer
↓
Transport Layer (TCP)
↓
Network Layer (IP)
↓
Data Link Layer (Ethernet/Wi-Fi)
↓
Physical Layer
The problem?
The HTTP content remains readable throughout the journey.
Anyone intercepting the traffic can inspect the contents directly.
Enter HTTPS
HTTPS stands for:
HyperText Transfer Protocol Secure
At its core, HTTPS is simply:
HTTP + TLS
The web application behaves exactly the same.
The difference is that communication becomes encrypted before it leaves the device.
This encryption protects information from interception and tampering.
What Is TLS?
TLS stands for:
Transport Layer Security
It is the security technology responsible for protecting modern web traffic.
TLS provides:
- Encryption
- Authentication
- Data integrity
Without TLS, HTTPS would not exist.
Where TLS Fits in the OSI Model
Conceptually, TLS belongs to:
Layer 6 — Presentation Layer
This makes sense because TLS transforms data before transmission.
It changes readable information into encrypted ciphertext.
The Application Layer still generates HTTP requests.
The Presentation Layer encrypts them.
Then the encrypted data moves through the lower layers.
The HTTPS Process Step by Step
Before encrypted communication begins, the browser and server perform a TLS handshake.
This process establishes trust and creates encryption keys.
Step 1: Client Hello
The browser initiates communication.
It sends:
- Supported TLS versions
- Supported encryption algorithms
- Random values used during key generation
Step 2: Server Hello
The server responds with:
- Selected TLS version
- Chosen encryption method
- Digital certificate
Step 3: Certificate Verification
The browser verifies the server's certificate.
This confirms the server is genuinely who it claims to be.
For example:
example.com
must actually belong to the legitimate owner of that domain.
Step 4: Session Key Creation
Both sides generate a shared secret encryption key.
This key will protect the remainder of the session.
Step 5: Secure Communication Begins
Once the handshake completes:
- Requests are encrypted
- Responses are encrypted
- Intermediaries cannot read the contents
Communication becomes secure.
What Happens If Someone Intercepts HTTPS Traffic?
Imagine an attacker captures network packets.
With HTTP, they may see:
Username: alice
Password: mypassword123
With HTTPS, they see something more like:
8F 2A 91 4B D7 11 3C...
The data still travels through the same routers, switches, and cables.
The difference is that the contents are unintelligible without the encryption keys.
HTTP vs HTTPS Through the OSI Model
The best way to understand the difference is layer by layer.
| OSI Layer |
HTTP |
HTTPS |
| 7 – Application |
HTTP Request/Response |
HTTP Request/Response |
| 6 – Presentation |
Plain Text |
TLS Encryption |
| 5 – Session |
Session Management |
Session Management |
| 4 – Transport |
TCP Port 80 |
TCP Port 443 |
| 3 – Network |
IP Packet |
IP Packet |
| 2 – Data Link |
Ethernet/Wi-Fi Frame |
Ethernet/Wi-Fi Frame |
| 1 – Physical |
Raw Bits |
Raw Bits |
Notice something important:
Only the upper layers change.
The lower layers continue functioning normally.
Routers, switches, and physical cables don't care whether the payload contains plain text or encrypted data.
They simply transport it.
Port Numbers: 80 vs 443
HTTP and HTTPS commonly use different TCP ports.
| Protocol |
Default Port |
| HTTP |
80 |
| HTTPS |
443 |
When you enter:
https://example.com
your browser typically connects to port 443.
For:
http://example.com
it usually connects to port 80.
These ports help the destination server determine which service should process the request.
Why Modern Websites Redirect to HTTPS
Today, virtually all reputable websites enforce HTTPS.
Reasons include:
Security
Protects sensitive user information.
Privacy
Prevents eavesdropping on browsing activity.
Integrity
Stops attackers from modifying content in transit.
Trust
Modern browsers warn users when websites are not encrypted.
SEO Benefits
Search engines generally favor secure websites.
The Padlock Icon Explained
Most browsers display a padlock symbol next to secure websites.
The padlock indicates:
- TLS is active
- The certificate is valid
- Communication is encrypted
It does not automatically guarantee the website itself is trustworthy.
A malicious website can still obtain a valid TLS certificate.
The padlock only confirms secure communication.
Comparing HTTP and HTTPS in the OSI Model Simulator
One of the best ways to understand encryption is to observe it visually.
The Roboticela OSI Model Simulator allows you to run:
- An HTTP simulation
- An HTTPS simulation
and compare them side by side.
You'll see how:
- The Application Layer remains largely unchanged
- TLS behavior appears at the Presentation Layer
- Lower layers continue functioning identically
This visual comparison makes the role of encryption immediately obvious.
Landing Page:
https://osi-model-simulator.roboticela.com
Launch Simulator:
https://app.osi-model-simulator.roboticela.com
Try running both protocols back-to-back and watch where the communication paths begin to diverge.
Key Takeaways
- HTTP is a Layer 7 protocol used for web communication.
- HTTP sends data in plain text.
- HTTPS combines HTTP with TLS encryption.
- TLS conceptually operates at the Presentation Layer.
- HTTPS protects confidentiality, integrity, and authentication.
- HTTP typically uses TCP port 80.
- HTTPS typically uses TCP port 443.
- Modern websites overwhelmingly rely on HTTPS for security.
Conclusion
HTTP made the web possible, but HTTPS made it safe.
By introducing TLS encryption into the communication process, HTTPS protects data as it travels across networks, routers, switches, and physical media.
Viewed through the OSI Model, the difference becomes remarkably clear: the lower layers remain largely unchanged, while the Presentation Layer transforms readable information into secure encrypted data.
In the next article, we'll explore another critical Application Layer protocol: DNS, the system that translates human-friendly domain names into the IP addresses computers actually use.