Many administrators who manage web servers on their network tend to block traffic for port 80 (HTTP) and only allow 443 (HTTPS) with the hope that it will secure their network. This is a myth, and this article demonstrates why port 80 is no different than port 443 if your goal is to make your network secure.
Difference between HTTP and HTTPS
It is essential to understand what HTTPS offers in addition to HTTP. It offers two benefits:
- It encrypts data between the client (browser) and a web server, which means a third party, such as an ISP or an unauthorized individual, cannot view and modify the data.
- It ensures the server's identity. In other words, when you connect to your bank's website using a browser, HTTPS ensures you're connecting to your actual bank and not a malicious website that is trying to steal your credentials.
Notice the benefits mentioned above only secures the in-transit data between a browser and the web server. It doesnot change the security level of your server.
Can a Malicious User Attack an HTTP Server?
Yes. However, it is no different than attacking an HTTPS server. Anything someone can do to an HTTP server can also be done to an HTTPS server. Therefore, to say HTTP is more vulnerable than HTTPS is not correct. That said, you must treat HTTP and HTTPS equally to make your web server secure.
Disadvantages of Blocking Port 80
The following is a list of some disadvantages of blocking port 80.
- Often, users click on hyperlinks rather than typing them manually. Therefore, if the hyperlink on the referrer's website uses HTTP, it cannot reach your website since the URL
http://your.website.com will fail. - Although newer browsers will try HTTP and HTTPS when a user manually types an address, this functionality is browser-dependent. An older browser may not try looking for HTTPS, resulting in an error.
- Often, websites are fetched by computer programs and not a browser. In those cases, changes to the code or configuration file may be required to change every URL to HTTPS.
How to Configure Port 80
Rather than blocking port 80, consider redirecting its traffic to port 443, which forces the client to switch to HTTPS. The following sequence diagram displays the flow of events.
Example Configuration
As an example, let's see how Google configured their website. In this example, we will submit a requestto http://www.google.com and watch the communication between the browser and Google's web server.We will use the Developer Tools that comes with Microsoft Edge browser to view the communication.
Here are the steps:
- Open MS Edge on your machine
- Press CTRL+SHIFT+I on your keyboard to bring up the Developer Tools
- Select the Network tab. Now you're ready to watch the communication between your browser and Google's web server.
- Type
http://www.google.com in the address bar. Ensure you type http:// in the beginning. - The following screenshot display the results:
- Notice that Google's web server is listening an port 80 but instead of returning the document, it redirectsthe client to go to
https://www.google.com.
Summary
Opening port 80 on your firewall is no different than opening port 443, provided the web server is configured to redirect the traffic to a secure port. This also ensures users connecting on port 80 do not get connection errors.
FAQs
Summary. Opening port 80 on your firewall is no different than opening port 443, provided the web server is configured to redirect the traffic to a secure port. This also ensures users connecting on port 80 do not get connection errors.
Is port 80 dangerous? ›
Port 80 is unencrypted because it is the default port for HTTP, an insecure transfer protocol used to retrieve web pages. Port 443 is secure because it uses HTTPS, which does the same thing as port 80, except securely.
Is it OK to leave port 80 open? ›
Leave port 80 open for user convenience so that browsers that default to HTTP on port 80 can get properly redirected to HTTPS on port 443. Otherwise, they're going to get connectivity errors if either their browser doesn't default to HTTPS or at least check if HTTPS is available for them.
Is an open HTTP port dangerous? ›
Open ports aren't dangerous by default, rather it's what you do with the open ports at a system level, and what services and apps are exposed on those ports, that should prompt people to label them dangerous or not.
What is the vulnerability of HTTP port 80? ›
HTTP and HTTPS (Ports 80, 443, 8080, and 8443): These hotly-targeted ports are used for HTTP and HTTPS protocols and are vulnerable to attacks such as cross-site scripting, SQL injections, cross-site request forgeries, and DDoS attacks.
What traffic is on port 80? ›
What is Port 80? Port 80 is assigned to HTTP, which is for connecting different users to an insecure network. The web traffic that passes through the port remains in plain text. However, with the introduction of HTTPS, most browsers, and search engines now prefer port 443- a default port for HTTPS protocol.
What does it mean when port 80 is open? ›
This means that, when using port 80, anyone who intercepts the communication between a web server and a web client can read what is being transmitted.
Which port should not be open? ›
Common High-Risk Ports
| Port | Protocol | Recommended Action |
|---|
| 139 | TCP and UDP | Disable always. |
| 445 | TCP and UDP | Disable always. |
| 161 | TCP and UDP | Disable always. |
| 389 | TCP and UDP | Disable always. |
28 more rowsApr 6, 2023
You can connect to an HTTP app running on a workstation from the Google Cloud console. For any running workstation that you have permissions to use, you see a Launch button. By default, this button connects on port 80 .
How long can I leave port open? ›
Ruby and basic Tawny Ports typically *(when stored in cool-dark conditions) will last 4 - 6 weeks after being open, without any obvious deterioration. Though ideally finish a Ruby Port within 1 month - and finish a Tawny Port within 2 months after being opened.
Ports most targeted by attackers include ports 443 and 8080 (HTTP and HTTPS) No port is 100% secure and what determines the risk of a port is the way it is managed. To protect open ports, it is essential to use ports that encrypt traffic in order to make it difficult for hackers to access sensitive information.
Is it safe to open HTTP website? ›
If a website uses HTTP instead of HTTPS, all requests and responses can be read by anyone who is monitoring the session. Essentially, a malicious actor can just read the text in the request or the response and know exactly what information someone is asking for, sending, or receiving.
What is the safe port for HTTP? ›
Among these are:
- Port 443 default for managing HTTPS web traffic.
- Port 80 for managing HTTP web traffic.
- Port 21 and 22 for file transfer protocol (FTP)
- Port 25 for outgoing simple mail transfer protocol (SMTP)
To make it convenient for programmers, most popular network services are assigned “well-known” port numbers by default. This strategy began back in 1991 when Tim Berners-Lee's original specification for HTTP stated that if there was no port assigned to an HTTP connection, Port 80 should be used.
What is the alternative to port 80 for HTTP? ›
Service Name and Transport Protocol Port Number Registry
| Service Name | Port Number | Description |
|---|
| http-alt | 8008 | HTTP Alternate |
| http-alt | 8008 | HTTP Alternate |
| http-alt | 8080 | HTTP Alternate (see port 80) |
| http-alt | 8080 | HTTP Alternate (see port 80) |
2 more rowsJul 1, 2024
Advantages of Using Port 80
Port 80 enables the transmission of data in plain text format. Port 80 is used in the web servers, web browsers, etc. The port 80 helps to easily identify the web addresses. Configuring the web servers to work on Port 80 is very easy.
What is an unsafe port? ›
A port will be unsafe if the ship is endangered when departing from the port. For example if on departure ice has formed and the ship's hull is damaged as a result when leaving, the port will be unsafe.
What is significant about port 80? ›
What Does Port 80 Mean? Port 80 is the port number assigned to commonly used internet communication protocol, Hypertext Transfer Protocol (HTTP). It is the default network port used to send and receive unencrypted web pages.
Why would port 80 be closed? ›
A closed port typically indicates that there are no active services listening on that port. So, you'll want to check and make sure the web server is working properly and investigate any errors you come across in the logs.
What is the difference between port 80 and 443? ›
Port 443 is encrypted, but port 80 is not, which is a crucial difference between the two. Port 80 is, by default, unencrypted to access internet pages, as HTTP is an insecure form of communication. Port 443 is secure because it uses HTTPS, a secure variant of port 80, to achieve the same objectives.
