SMIP
All articles
securitynetworkingbasics

What is HTTPS and why does it actually matter?

HTTPS is the lock icon in your browser. Underneath it's a sequence of cryptographic steps that prevent eavesdropping, tampering, and impersonation on every web request. Here's what's going on.

May 6, 20266 min read

Every site you visit today shows a little lock icon next to the URL. Without it, browsers warn you with bright red "Not Secure" labels. The lock means HTTPS — and HTTPS is one of the most important pieces of online security infrastructure most people never think about.

Here's what it actually does, in plain English.

Two-line summary

HTTPS is HTTP wrapped inside an encrypted, authenticated TLS connection. It prevents three things:

  1. Eavesdropping — anyone watching the network can't read your traffic.
  2. Tampering — anyone in the middle can't change your traffic without breaking the connection.
  3. Impersonation — you can verify the server you're talking to is actually who they claim to be.

Without HTTPS, all three of those become trivial.

The HTTP problem (life before HTTPS)

In the 1990s and early 2000s, most of the web ran on plain HTTP. Every request and response traveled in plaintext. That meant:

  • The Wi-Fi at a coffee shop could read every form you submitted.
  • Your ISP could see every page you loaded, every image, every URL.
  • Anyone in the path could inject ads, malware, or fake content into the responses.
  • A malicious DNS or BGP attacker could route you to a fake server, and your browser had no way to know.

That last one is the worst. With plain HTTP, you couldn't tell the difference between the real bank.com and a copy run by an attacker.

What HTTPS adds

HTTPS = HTTP + TLS (Transport Layer Security; the successor to SSL, despite the name "SSL certificate" sticking around).

The TLS layer does three things:

1. Encryption

Your browser and the server agree on a shared secret using a protocol called Diffie-Hellman key exchange. The remarkable thing about Diffie-Hellman: both parties can compute the same secret without ever sending it across the network. An eavesdropper sees only the public values exchanged and can't derive the secret.

Once they have a shared secret, they use it to encrypt all the actual HTTP data with a symmetric cipher (AES-GCM or ChaCha20-Poly1305 in 2026). Eavesdroppers see only ciphertext.

2. Integrity

The encryption scheme includes an authentication tag — every encrypted message comes with a small cryptographic checksum. If anyone modifies even one byte of the message, the tag won't validate, and both ends will detect tampering and tear down the connection.

3. Authentication

This is the part that prevents impersonation. The server presents a TLS certificate signed by a Certificate Authority (CA) your browser already trusts (Let's Encrypt, DigiCert, Cloudflare, Google Trust Services, etc.). Your browser checks the certificate is:

  • Signed by a known CA.
  • Valid for the domain you're visiting (not expired, not revoked).
  • Either matches the hostname in the URL or covers a wildcard that does.

If any check fails, the browser shows a big scary warning. If they all pass, you can trust the server is operated by whoever controls the domain — which is the closest thing to identity verification on the open internet.

The TLS handshake

When you visit https://cloudflare.com, here's what happens:

1. You: "Hi, I support TLS 1.3, ChaCha20-Poly1305, and X25519."
2. Server: "Hi back. Let's use TLS 1.3, ChaCha20, X25519. Here's my certificate.
            Here's my Diffie-Hellman public value."
3. You: "Certificate looks good. Here's my Diffie-Hellman public value.
        Let's both compute the shared key."
4. Both compute shared key independently.
5. All future traffic is encrypted with that key.

In TLS 1.3 (the current standard), this whole handshake takes one round-trip plus the TCP setup. Modern HTTPS is fast.

If the connection is reused (same site visited a moment later), TLS resumption can skip most of the handshake — bringing the overhead near zero.

Certificates and CAs

A TLS certificate is a small public file that says:

  • "This public key belongs to cloudflare.com."
  • "It expires on 2026-08-01."
  • "It's signed by Let's Encrypt."

Your browser trusts a fixed list of root CAs (~150 of them). When a server presents a certificate, the browser verifies the signature chain back to one of those roots. If the chain is valid, the cert is valid.

The CAs are the security model's trust anchor. They're audited heavily, occasionally lose trust when they screw up (Symantec was forced out by browsers in 2018), and gradually replaced as the ecosystem evolves. Let's Encrypt in particular changed everything by issuing certs free at scale starting in 2015 — pre-Let's Encrypt, only paid certs existed and lots of small sites stayed on HTTP.

In 2026, every domain should have HTTPS. There's no cost barrier; setup takes 5 minutes; ranking penalties hit non-HTTPS sites; modern browsers warn aggressively.

What HTTPS doesn't protect

Worth being clear about the limits:

  • The hostname is not encrypted. Server Name Indication (SNI) leaks the domain you're visiting to anyone watching the connection. Even with HTTPS, your ISP or network can see you visited cloudflare.com, just not what you did there. (ECH — Encrypted Client Hello — fixes this and is rolling out, but isn't universal yet.)
  • DNS queries are separate. Plain DNS leaks every domain you visit. Use encrypted DNS (DoH/DoT) to hide that too.
  • HTTPS doesn't prove the site is honest. It just proves you're talking to whoever owns the domain. A scam site can have valid HTTPS — it just proves the scammer owns the domain. The lock icon means encryption, not legitimacy.
  • Endpoint compromise still wins. If your device is compromised, no amount of HTTPS helps.

"But the URL is in the address bar — isn't that enough?"

The address bar shows the domain you intended to visit. HTTPS verifies the server you actually reached is the one for that domain. Without HTTPS, those two can disagree silently.

This is why HTTPS plus paying attention to the URL is the actual security model — both pieces are required.

Mixed content

A page loaded over HTTPS that includes resources (images, scripts, stylesheets) over plain HTTP creates "mixed content" — the page is partially insecure. Modern browsers block this aggressively. If you've ever seen a broken layout on a site claiming HTTPS, mixed content is often the cause.

The fix: every resource a page references must also be HTTPS.

HSTS — staying on HTTPS once you've found it

Once you visit an HTTPS site, the server can include an HSTS (HTTP Strict Transport Security) header telling the browser: "Always use HTTPS for this domain in the future. Don't even attempt HTTP."

The browser remembers this. If you later type bank.com and accidentally connect over HTTP, the browser silently rewrites the request to HTTPS before connecting. Prevents accidental downgrade attacks.

Major sites also appear in the HSTS preload list baked into browsers — meaning they're forced to HTTPS even on your first visit, before any header could be sent.

How to test a site's HTTPS

  • Click the lock icon in your browser to see the certificate, issuer, and validity.
  • Use SSL Labs' SSL Test (ssllabs.com/ssltest) for a deep grade of any public HTTPS endpoint — a free service from Qualys.
  • Use curl --verbose https://example.com to see the handshake from the command line.

Quick FAQ

Is HTTPS slower than HTTP? Slightly, due to encryption overhead and the handshake. With TLS 1.3, modern hardware, and HTTP/2 or HTTP/3 multiplexing, the overhead is usually invisible — and frequently HTTPS is faster than HTTP because of the protocol upgrades.

Does HTTPS protect me from malware? Not directly. It encrypts what you're transferring, not what's in the file. A malware download over HTTPS is still malware.

Can my ISP still see what I'm doing on HTTPS sites? They see which sites (via DNS and SNI) but not what you do there. To hide which sites, use a VPN or Tor.

Why does my browser say a self-signed certificate is "not secure"? Self-signed certs aren't signed by any of the ~150 trusted CAs, so the browser can't verify the issuer. Encryption still works; identity verification doesn't.

TL;DR

  • HTTPS = HTTP wrapped in TLS encryption + integrity + server identity.
  • Three threats it stops: eavesdropping, tampering, impersonation.
  • Modern HTTPS (TLS 1.3) is fast, free to obtain, and universally expected.
  • It doesn't hide which sites you visit (use encrypted DNS and a VPN for that), but it does protect what you do once you're there.

Every modern site is HTTPS. If you find one that isn't, leave.