Everything to Know About Port 80 (HTTP) and Port 443 (HTTPS)
The internet runs on protocols and ports. When you enter a website URL in your browser, your computer connects to a web server using these protocols and port numbers. The two main protocols used on the web are HTTP (Hypertext Transfer Protocol) and HTTPS (HTTP Secure). These use different default ports – HTTP uses port 80 while HTTPS uses port 443.
Head-to-Head Comparison Between Port 80 vs Port 443
| Feature | Port 80 (HTTP) | Port 443 (HTTPS) |
|---|---|---|
| Encryption | No | Yes (TLS/SSL) |
| Security | Low | High |
| Speed | Slightly faster | Slightly slower due to encryption overhead |
| SEO Ranking | Lower trust ranking | Higher trust ranking |
| Browser Compatibility | Universal | Requires HTTPS support |
| Cost | Free | Certificate fees may apply |
| Required Configuration | Minimal | TLS/SSL certificate required |
| Visible Data | All data visible | Data encrypted |
| Common Use | Non-sensitive data | Sensitive data, ecommerce |
| Ability to Use Other Protocols | No | Yes (HTTP/2, TLS 1.3, etc.) |
What is a Port?
In computer networking, a port is a communication endpoint. It is a logical construct that identifies a specific process or service on a host. Ports allow different applications on the same host to utilize network resources without interfering with each other.
Some common ports you may have heard of:
- Port 80: Default port for HTTP
- Port 443: Default port for HTTPS
- Port 25: Simple Mail Transfer Protocol (SMTP) for email
- Port 22: Secure Shell (SSH) for secure logins and file transfers
Ports range from 0 to 65535, but only ports 0 to 1023 are reserved for common protocols and services. The remaining ports between 1024 to 65535 are available for any application.
What is HTTP and Port 80?
HTTP stands for Hypertext Transfer Protocol. It is the underlying protocol of the World Wide Web that defines how web browsers and servers communicate. HTTP works on a request-response model. When you enter a website URL in your browser, it sends an HTTP request message to the server. The server then responds with the requested resource – usually an HTML document and associated assets like images, CSS, JavaScript files etc.
HTTP uses port 80 by default. So if you enter a URL like http://example.com, your browser makes a connection to example.com on port 80 to request the resource.
Some key properties of HTTP:
- Connectionless: No persistent connection between requests. Each request opens a new connection which closes after response.
- Stateless: Servers do not retain session data between requests. No relation between consecutive requests.
- Unencrypted: HTTP communication is not encrypted. Data is sent in plain text which can be read by anyone capturing network traffic.
HTTP is fine for non-sensitive data like public websites. But transmitting private information over HTTP is risky since anyone can eavesdrop. This led to the development of HTTPS.
What is HTTPS and Port 443?
HTTPS stands for HTTP Secure. It is an encrypted version of HTTP that provides secure communication over the web. With HTTPS, all communication between browser and server is encrypted using Transport Layer Security (TLS).
HTTPS uses port 443 by default instead of port 80. When you enter a URL like https://example.com, your browser makes a secure TLS connection to example.com on port 443.
Some key properties of HTTPS:
- Encrypted: All data is encrypted before transmission preventing eavesdropping and man-in-the-middle attacks.
- Authenticated: The identity of the server is verified through digital certificates.
- Integrity: Data is protected from tampering and forgery through message authentication codes.
- Persistent: HTTPS connections are persistent and only end when explicitly closed.
Since HTTPS provides security, it is used for all sensitive transactions on the web – eCommerce, banking, login pages etc. HTTP websites are increasingly migrating to HTTPS due to security reasons.
Why are Separate Ports Used?
HTTP and HTTPS use different default ports even though they are very similar protocols. This is useful to distinguish between secure and non-secure web traffic.
Using distinct ports provides the following benefits:
- Clients Can Identify the Protocol: Based on the port number, clients can identify if a website uses HTTP or HTTPS. They may decide to avoid HTTP sites for sensitive operations.
- Web Servers Can Host Both Protocols: Servers can host secure and non-secure sites on the same IP address by using different ports for HTTPS and HTTP.
- Network Devices Can Handle Traffic Differently: Firewalls, proxies etc. can handle HTTP and HTTPS traffic differently for security purposes. HTTPS traffic may be given priority.
- Separate Process Allocation: The operating system can allocate separate processes and memory resources for the HTTP and HTTPS services.
- Backward Compatibility: Introducing a new protocol like HTTPS while retaining HTTP ensures backward compatibility with systems that only understand HTTP.
Common Uses: Port 80 vs Port 443
Port 80 and 443 are mainly used for web traffic but they support other protocols too:
Port 80
- HTTP web traffic
- Unsecure FTP transfers
- Web proxy servers
- Web caching systems like Squid
Port 443
- HTTPS web traffic
- Secure FTP over SSL/TLS (FTPS)
- Secure SMTP over TLS (SMTPS)
- VPN tunneling protocols like OpenVPN
Though primarily used for their respective protocols, applications are free to use these ports if it makes sense for their usage.
Can You Change the Default Ports?
The default port numbers are a convention and can be changed if required. For example:
- You can configure HTTP to listen on a non-standard port like 8080 instead of 80.
- You can configure HTTPS on port 4443 instead of 443.
But this is rarely done since it violates user expectations. If you try to open a website on a non-standard port, it will result in errors like “Site cannot be reached” or “took too long to respond”.
Some cases where changing default ports may make sense:
- Running multiple websites/services on one server.
- Security through obscurity by running services on non-standard ports.
- Workaround ISP blocks by using different ports.
However, changing the default ports can cause connectivity issues and may not offer much security. Using firewalls or allowing ports only from specific IP addresses is a better security practice.
Do You Need to Open Ports 80 and 443 in Firewalls?
If you are hosting a public HTTP or HTTPS server, you need to open ports 80 and 443 respectively in the firewall. Since these are the standard ports for web traffic, blocking them will prevent external users from accessing your websites.
Some points to note regarding firewall rules:
- For a publicly accessible HTTP server, open port 80 inbound.
- For a publicly accessible HTTPS server, open port 443 inbound.
- The firewall may still inspect traffic on open ports for malware, DoS attacks etc.
- Only open the minimum required ports based on the services offered externally.
- Disable unused ports or open them only when required.
- Restrict source IP addresses, if possible, for additional security.
For clients accessing remote HTTP/HTTPS resources, no incoming port needs to be opened. The outbound connection to port 80 or 443 should be allowed in the firewall.
What Happens When Ports are Blocked?
If the standard HTTP (port 80) or HTTPS (port 443) ports are blocked either inbound or outbound, you are likely to face the following issues:
Outbound Ports Blocked
- Browsers cannot access websites and will display connection errors.
- Downloads from HTTP or HTTPS servers will fail.
- Software updates using HTTP/HTTPS will not work.
- API calls to external systems over HTTP/HTTPS will not succeed.
Inbound Ports Blocked
- External users cannot access your HTTP or HTTPS server.
- Websites will be unreachable leading to failed requests.
- Public services and APIs offered over HTTP or HTTPS will be disrupted.
Blocking standard web traffic ports hinders most internet usage unless alternatives are set up like using non-standard ports or proxies. Temporary port blocking may be done by ISPs to restrict access to certain websites. Permanent blocking requires changing the application configuration to use different ports.
Conclusion on Port 80 vs Port 443
HTTP uses the standard port 80 to serve web pages and assets in plain text. HTTPS uses port 443 to encrypt communication and provide secure transactions. Though they use different ports by default, this can be changed if needed. Blocking these ports breaks most internet usage so firewall rules need to be defined carefully. HTTPS over port 443 should always be used for sensitive data to prevent eavesdropping and interference.
Port 80 vs Port 443 FAQs
Is port 80 or 443 more vulnerable?
Port 443 over HTTPS is far more secure than port 80 over HTTP. HTTPS uses TLS encryption and server authentication which protects the communication. HTTP has plain text transmission making it vulnerable to eavesdropping.
Can I run HTTPS on port 80 or HTTP on port 443?
Technically yes, but it is not advisable. Running HTTPS on port 80 will not work seamlessly since client-side security checks still expect HTTPS over 443. Similarly, plain HTTP on 443 provides no encryption which defeats the purpose of using HTTPS port.
Are non-root users allowed to bind ports below 1024 like 80 and 443?
No, only processes running as root can bind to privileged ports below 1024. On Unix-style systems, normal users can only bind ports 1024 and above unless explicitly permitted.
Is blocking ports effective as a security measure?
Port blocking can prevent access to the blocked service. But it is considered a weak security control and is easy to circumvent. Security best practices recommend layered defenses like firewalls, access controls, encryption rather than relying solely on port blocking.
What happens when I enter a website without specifying port 80 or 443?
When no port is specified, web browsers assume port 80 for HTTP and port 443 for HTTPS by default. So entering a URL like http://example.com is equivalent to http://example.com:80 and https://example.com equals https://example.com:443.
Can HTTP and HTTPS share the same port?
Yes, it is possible to host both HTTP and HTTPS on the same port using a technology like TLS Server Name Indication (SNI). SNI allows the client to indicate the hostname it wants to reach when establishing a TLS connection. This allows the server to distinguish between secure and non-secure traffic for multiple domains on the same IP and port.
What are some alternatives to HTTP and HTTPS?
Some alternatives include:
- HTTP/2 – An optimized version of HTTP for better performance.
- HTTP/3 – Uses UDP instead of TCP for lower latency.
- QUIC – Multiplexed transport layer protocol over UDP. Developed by Google.
- gRPC – Remote procedure calls over HTTP/2.
- Secure Shell (SSH) – Encrypted network protocol providing secure remote access.
- Tor – Anonymous communication by relaying traffic through multiple Tor nodes.
Can web servers easily switch between HTTP and HTTPS?
Modern web servers like Apache and Nginx make it easy to set up both HTTP and HTTPS. However, it takes some extra steps like obtaining a TLS certificate, configuring encryption protocols and ciphers, and directing traffic appropriately between HTTP and HTTPS servers.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
