What Is HTTPS?
HTTPS stands for HyperText Transfer Protocol Secure. It's the same HTTP that browsers use to load web pages, but with an added layer: TLS (Transport Layer Security). That layer encrypts the data traveling between your browser and the web server, protecting it from eavesdroppers and tampering. The padlock icon in your browser's address bar signals an active HTTPS connection.
Why HTTP Alone Isn't Enough
Unencrypted HTTP sends data as plain text. Anyone on the same network — a coffee shop Wi-Fi, an ISP, or a malicious actor running a packet sniffer — can read exactly what you're sending and receiving. Login credentials, personal information, and browsing content are all exposed. HTTPS solves this by encrypting everything in transit.
The TLS Handshake: How a Secure Connection Forms
Before any encrypted data is exchanged, your browser and the server go through a TLS handshake — a brief negotiation that establishes a shared secret key. Here's what happens:
- Client Hello: Your browser sends a message saying, "Hello, I support these TLS versions and cipher suites. Here's a random number."
- Server Hello: The server responds: "Great, let's use TLS 1.3 and this cipher suite. Here's my random number and my digital certificate."
- Certificate verification: Your browser checks the server's certificate against a list of trusted Certificate Authorities (CAs) — organizations that have verified the server's identity. This is how you know you're actually talking to yourbank.com and not an impersonator.
- Key exchange: Using asymmetric cryptography (typically ECDHE — Elliptic Curve Diffie-Hellman Ephemeral), both sides compute the same shared secret without ever transmitting it directly.
- Session keys derived: From the shared secret and both random numbers, session keys are derived for symmetric encryption.
- Encrypted communication begins: All subsequent data is encrypted with fast symmetric encryption (like AES-256-GCM).
Asymmetric vs. Symmetric Encryption
A common question: if we have encryption, why use two different types?
- Asymmetric (public/private key): Secure for exchanging keys, but computationally expensive. Used in the handshake phase.
- Symmetric (shared key): Much faster, ideal for encrypting large volumes of data. Used for the actual session after the handshake.
TLS uses asymmetric encryption to safely establish a shared secret, then switches to symmetric encryption for efficiency. It's the best of both worlds.
What TLS Protects — and What It Doesn't
What TLS Protects
- Content of your requests and responses (login forms, page content, API data)
- Cookies and session tokens in transit
- Integrity of data (it can't be modified without detection)
What TLS Does NOT Protect
- The fact that you visited a domain — your ISP can still see you connected to example.com
- Data once it reaches the server — server-side security is separate
- Malware already on your device
TLS Versions: Why Upgrades Matter
| Version | Status | Notes |
|---|---|---|
| SSL 3.0 / TLS 1.0 / 1.1 | Deprecated | Known vulnerabilities, should never be used |
| TLS 1.2 | Still widely used | Secure when configured correctly |
| TLS 1.3 | Current standard | Faster handshake, improved security, forward secrecy |
How to Check a Site's Certificate
Click the padlock icon in any major browser and select "Connection is secure" or "Certificate." You'll see the issuing CA, validity dates, and the domains covered. A certificate issued to a wildcard domain (e.g., *.example.com) covers all subdomains.
Understanding HTTPS and TLS won't just make you a more informed user — it forms the foundation for understanding authentication, API security, and how trust works on the modern web.