HTTPS: HTTP Secure

What is HTTPS?

HTTPS (HTTP Secure) is the encrypted version of HTTP. It wraps all HTTP communication inside a TLS (Transport Layer Security) encryption layer, protecting data as it travels between the browser and server.

HTTPS provides three critical security guarantees: encryption (data cannot be read by eavesdroppers), authentication (the server is who it claims to be), and integrity (data cannot be tampered with in transit).

HTTPS is now the default for the web. Modern browsers display a "Not Secure" warning for plain HTTP sites, and Google uses HTTPS as a search ranking signal. There is no reason to use plain HTTP for public-facing websites today.

How HTTPS Encryption Works

HTTPS uses the exact same HTTP protocol underneath, with the same methods, headers, status codes, and message format. The difference is that everything is wrapped in a TLS encryption layer before being sent over the network.

In the protocol stack, TLS sits between HTTP (application layer) and TCP (transport layer). When your browser connects to an HTTPS site, it first establishes a TCP connection to port 443, then performs a TLS handshake to negotiate encryption, and only then begins sending HTTP requests.

From the perspective of the HTTP protocol, nothing changes. From the perspective of anyone observing the network traffic, all they can see is encrypted data and the destination IP address. The URL path, headers, and body are all hidden.

The TLS 1.3 Handshake Process

Before any encrypted data can be exchanged, the client and server must agree on encryption parameters. This negotiation is called the TLS handshake. TLS 1.3 streamlined this process to a single round trip.

Step 1: ClientHello

The client sends a message listing the cipher suites it supports along with a key share (its half of the key exchange). This is a speculative optimization where the client guesses which key exchange the server will pick.

Step 2: ServerHello

The server selects a cipher suite, sends its own key share, its TLS certificate, and a cryptographic proof that it possesses the private key. All of this arrives in a single response.

Step 3: Certificate Verification

The client verifies the server's certificate chain by checking that it was issued by a trusted Certificate Authority, has not expired, and matches the domain name. If verification fails, the browser shows a security warning.

Step 4: Encryption Begins

Both sides derive symmetric encryption keys from the exchanged key shares. All subsequent data is encrypted. TLS 1.3 completes this entire process in just one round trip (compared to two in TLS 1.2), making HTTPS connection setup faster than ever.

SSL/TLS Certificates and Certificate Authorities

An SSL/TLS certificate is a digital document that proves a server's identity. It contains the domain name, the server's public key, the issuing authority, and validity dates. Certificates are what make the "trust" in HTTPS possible.

Certificates are issued by Certificate Authorities (CAs), trusted third parties that verify domain ownership. There are three validation levels: Domain Validation (DV) verifies you control the domain, Organization Validation (OV) verifies the organization exists, and Extended Validation (EV) involves thorough business verification.

Let's Encrypt revolutionized web security by providing free, automated DV certificates. Most hosting providers now offer one-click certificate setup.

Certificates form a chain of trust: your browser trusts a set of root CAs, which sign intermediate CA certificates, which in turn sign server certificates. This chain is verified during every TLS handshake.

HTTP vs HTTPS: Complete Comparison

Key Features of HTTPS

• End-to-end encryption between client and server
• Server authentication via TLS certificates
• Data integrity: any tampering is detected
• Required for modern web features including Service Workers, Geolocation, and HTTP/2
• SEO benefits: Google uses HTTPS as a ranking factor since 2014
• User trust: the lock icon signals a secure connection

Common Use Cases for HTTPS

• All web browsing: HTTPS is now the default for the web
• E-commerce and payment processing: PCI compliance requires encryption
• API security: protecting tokens and sensitive data in transit
• Email web clients: securing access to email content
• Sensitive data applications: healthcare, banking, and government systems

Frequently Asked Questions About HTTPS

Is HTTPS slower than HTTP?

The overhead is negligible. TLS 1.3 adds only one round trip to connection setup (and zero for resumed connections). In practice, HTTP/2, which requires HTTPS, actually makes pages load faster than plain HTTP/1.1.

Do I need HTTPS for my website?

Yes. Browsers flag HTTP sites as insecure, and Google penalizes them in search rankings. Free certificates from Let's Encrypt eliminate the cost barrier. There is no good reason to use plain HTTP for any public-facing site.

What is the difference between SSL and TLS?

TLS (Transport Layer Security) is the successor to SSL (Secure Sockets Layer). SSL is deprecated and no longer considered secure. The term "SSL certificate" is a misnomer that persists in common usage. All modern certificates use TLS.

How do I get a free HTTPS certificate?

Let's Encrypt provides free, automated certificates and is the most popular CA on the internet. Most hosting providers and CDNs (Cloudflare, Vercel, Netlify) offer automated certificate management built in.

Does HTTPS protect against all attacks?

No. HTTPS protects data in transit (encryption, integrity, authentication), but does not protect against server-side vulnerabilities like SQL injection, XSS, or CSRF. It also does not hide which domain you are visiting (the SNI field in the TLS handshake reveals the hostname).

Related Protocols

• HTTP: the underlying protocol that HTTPS encrypts
• Modbus TCP: industrial protocol that also runs over TCP/IP
• Modbus RTU: serial protocol for industrial automation