The difference in one line
HTTP carries web requests and responses as plain text over the network. HTTPS is the same HTTP wrapped inside a TLS session, so the bytes are encrypted and the server is authenticated. The S stands for secure, and the security comes entirely from the TLS layer beneath, not from changing HTTP itself.
What HTTPS adds
- Confidentiality means eavesdroppers on the path see ciphertext, not your data.
- Integrity means tampering with packets is detected and the connection breaks.
- Authentication means a certificate proves you are talking to the real server, not an impostor.
- Trust signals like the padlock and HSTS help users and browsers refuse insecure downgrades.
Plain HTTP is vulnerable to passive sniffing and active man in the middle attacks, where an attacker can read or alter traffic. Because of this, modern browsers mark HTTP pages as not secure and many sites enforce HTTPS everywhere. The cost of TLS handshakes has fallen enough that there is little reason to serve sensitive content over plain HTTP today.
Key idea
HTTPS is HTTP carried inside TLS, adding confidentiality, integrity, and server authentication, which is why plain HTTP is now treated as unsafe for real traffic.