HTTPS is the secure version of HTTP — the protocol your browser uses to load web pages. The 'S' stands for Secure, and it means the connection is encrypted using TLS (Transport Layer Security). When you visit a site over HTTPS, three things are guaranteed: your data is encrypted, the server's identity is verified, and the data cannot be tampered with in transit.
What HTTPS Does
| Property | What It Means |
|---|---|
| Encryption | No one between you and the server can read your data (login credentials, credit card numbers, etc.) |
| Authentication | The TLS certificate proves you are talking to the real website, not an impersonator |
| Integrity | Data cannot be modified in transit — if it is changed, TLS detects it and drops the connection |
How HTTPS Works
- Your browser connects to the server and requests its TLS certificate
- The server sends its certificate, signed by a trusted Certificate Authority (CA)
- Your browser verifies the certificate against its list of trusted CAs
- Browser and server perform a key exchange (using ECDHE or similar) to create session keys
- All subsequent traffic is encrypted with those session keys using AES-256 or similar
HTTP vs HTTPS
| Feature | HTTP | HTTPS |
|---|---|---|
| Encryption | None — plaintext | AES-256 via TLS |
| Port | 80 | 443 |
| Authentication | None | TLS certificate |
| SEO ranking | Penalized by Google | Ranking signal |
| Browser indicator | "Not Secure" warning | Padlock icon |
What HTTPS Does NOT Protect
- The fact that you visited a website — your ISP and DNS resolver still see the domain name (unless you use DoH or DoT)
- Malware on your device — HTTPS only encrypts data in transit
- The website's own database — if the site is hacked and your data leaked, HTTPS doesn't help
- Phishing sites — a phishing site can use HTTPS and still steal your credentials (the padlock means the connection is encrypted, not that the site is trustworthy)
HSTS: Enforcing HTTPS
HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS for a domain, even if you type just the domain name. It prevents SSL/TLS stripping attacks where a man-in-the-middle downgrades your connection to HTTP.
People Also Ask
- Can I be hacked on an HTTPS site?
- Yes. HTTPS protects the connection between you and the server — it does not protect you from a compromised server, malicious JavaScript served by the site, phishing attacks, or malware on your device. The padlock only means the transit channel is encrypted. A malicious site can have a valid TLS certificate and still steal your data through application-layer attacks.
- Does a VPN make HTTPS redundant?
- No — they are complementary. HTTPS encrypts the content of your communication with a specific website. A VPN encrypts all your traffic and hides which websites you visit from your ISP. Using HTTPS through a VPN gives you both: the VPN server cannot see your HTTPS content, and your ISP cannot see which sites you visit. Neither replaces the other.
Related: SSL/TLS explained | DNS over HTTPS | End-to-end encryption