HTTPS
About 4 min read
Last updated: 2026-03-12
What Is HTTPS
HTTPS (HyperText Transfer Protocol Secure) is a protocol that encrypts communication between a web browser and a server. It adds a TLS/SSL encryption layer on top of HTTP, preventing eavesdropping, tampering, and impersonation.
The lock icon displayed in the browser's address bar indicates that the connection is secured with HTTPS. Without HTTPS, all data - including passwords and form inputs - is transmitted in plaintext and can be intercepted by anyone on the network.
How HTTPS Works
An HTTPS connection is established through the following steps.
- TCP Connection: The browser establishes a TCP connection to the server's port 443 (HTTP uses port 80).
- TLS Handshake: The server sends its digital certificate to the browser. The browser verifies the certificate's validity (issuer, expiration, domain match) and establishes an encrypted channel.
- Encrypted Communication: All HTTP requests and responses are encrypted with the session key agreed upon during the handshake. Even if intercepted, the data cannot be read.
This entire process completes in milliseconds and is invisible to the user. Modern browsers and servers use TLS 1.3, which reduces the handshake to a single round trip.
Why HTTPS Matters
HTTPS is more than just a security measure - it impacts many aspects of website operation.
- Communication Protection: Prevents passwords, credit card numbers, and personal information from traveling in plaintext. Especially critical on untrusted networks like public Wi-Fi.
- Tamper Prevention: Stops ISPs and attackers from injecting ads or malicious code into pages. HTTP pages can be silently modified in transit.
- SEO Advantage: Google has used HTTPS as a ranking signal since 2014. HTTP sites are at a disadvantage in search results.
- Modern Browser APIs: Features like Geolocation, camera/microphone access, Service Workers, and Web Push require HTTPS. HTTP sites cannot use these APIs.
- User Trust: Browsers display "Not secure" warnings on HTTP pages. This erodes visitor trust and increases bounce rates.
How to Verify HTTPS and Common Pitfalls
Here's how to check HTTPS connections in your browser, along with common misconceptions.
- Check the Lock Icon: Click the lock icon in the address bar to view certificate details (issuer, expiration, domain).
- Watch for Mixed Content: If an HTTPS page loads resources over HTTP (images, scripts, etc.), the browser may block them or display a warning. All resources must be loaded over HTTPS.
- Lock Icon ≠ Safe Site: The lock icon only means the connection is encrypted. Phishing sites also use HTTPS, so do not trust a site based on the lock icon alone.
- Certificate Expiration: Expired certificates trigger browser warnings and prevent access. Automated renewal with Let's Encrypt and certbot is recommended.
To learn more about this topic, see How HTTPS and TLS Work: The Encryption Behind Secure Communication.
Common Misconceptions
- HTTPS is only needed for large-scale sites
- HTTPS is essential even for personal blogs and small sites. HTTP sites are labeled "Not secure" by browsers, undermining visitor trust. Free certificates from Let's Encrypt eliminate cost as a barrier.
- Switching to HTTPS makes a site secure
- HTTPS provides encryption of the communication channel but cannot prevent server-side vulnerabilities, XSS, SQL injection, or other attacks. HTTPS is the starting point of security, not the finish line.
HTTP vs. HTTPS Comparison
HTTP
Data is transmitted in plaintext. Vulnerable to eavesdropping, tampering, and impersonation. Uses port 80. Browsers display 'Not secure.'
HTTPS
Communication encrypted with TLS. Prevents eavesdropping, tampering, and impersonation. Uses port 443. Displays a lock icon and enables modern browser APIs.