HTTP vs HTTPS - What's the Difference?
HTTP (HyperText Transfer Protocol) and HTTPS (HTTP Secure) are both protocols for transferring data between your browser and web servers. The critical difference is that HTTPS wraps the connection in TLS encryption, making it impossible for anyone on the network path - Your ISP, a public Wi-Fi operator, or a man-in-the-middle attacker - To read or modify the data in transit.
HTTP vs HTTPS Side-by-Side
| Property | HTTP | HTTPS |
|---|---|---|
| Default port | 80 | 443 |
| Encryption | None - Plaintext | TLS 1.2 or 1.3 |
| Data integrity | No - Content can be injected by intermediaries | Yes - AEAD ciphers detect any tampering |
| Authentication | No - No proof server is who it claims | Yes - TLS certificate validates server identity |
| SEO impact | Penalised by Google since 2014 | Ranking signal; required for some features |
| Browser treatment | "Not Secure" warning in Chrome, Firefox, Edge | Padlock icon (secure) |
| Performance | Slightly faster (no handshake) | Negligible overhead with TLS 1.3 (0-RTT resumption) |
The TLS Handshake
When your browser connects to an HTTPS site, a TLS handshake occurs before any HTTP data is exchanged. In TLS 1.3 the handshake takes one round trip (1-RTT): the client sends supported cipher suites and key share; the server responds with its chosen cipher, certificate, and key share; encrypted application data begins immediately. The symmetric session key is derived using the Diffie-Hellman key exchange - Meaning even if the server's private key is later compromised, past sessions remain secure (Forward Secrecy).
Mixed Content and When to Trust HTTPS
- Mixed content: an HTTPS page that loads HTTP subresources (images, scripts, iframes) undermines security - Modern browsers block active mixed content (scripts, iframes) automatically.
- HTTPS confirms the connection is encrypted and the certificate is valid - It does not guarantee the site is trustworthy or not a phishing site. Use the SSL checker to inspect a site's certificate.
- HTTP Strict Transport Security (HSTS) headers tell browsers to always connect via HTTPS and refuse to connect over HTTP for the specified max-age period.
- HTTP/3 (QUIC) uses UDP instead of TCP and always requires TLS 1.3 - There is no HTTP/3 over unencrypted connections.
- If you see your browser's "Not Secure" warning on a login or payment page, do not enter any sensitive data.
What an Eavesdropper Sees - HTTP vs HTTPS
| Information | Over HTTP | Over HTTPS |
|---|---|---|
| Domain you are visiting | Visible | Visible (via DNS and the TLS SNI field) |
| Full URL path and query string | Visible | Encrypted |
| Page content | Visible and modifiable in transit | Encrypted and tamper-evident |
| Form data, passwords, card numbers | Visible in plaintext | Encrypted |
| Cookies and session tokens | Visible - Sessions can be hijacked | Encrypted |
| Your IP and the server's IP | Visible | Visible - Encryption never hides addressing; that requires a VPN or Tor |
That last two rows are the part most people miss: HTTPS encrypts the contents of the conversation, but the fact of the conversation - Which server, from which IP, how much data - Remains observable. On an untrusted network this metadata still tells a story, which is why public Wi-Fi privacy advice layers a VPN on top of HTTPS rather than choosing between them.
How to Inspect a Site's HTTPS Yourself
In the browser
Click the padlock (or tune icon in recent Chrome) in the address bar → Connection is secure → Certificate is valid to see the certificate's subject, issuer, and validity dates. For more depth, press F12 to open DevTools and check the Security tab, which reports the TLS version, key exchange, and cipher in use, and flags any mixed content the page loaded.
With site-side tools
Run any domain through the SSL checker to view its certificate chain and expiry, and through the HTTP headers check to confirm hardening headers like Strict-Transport-Security are present. A site that redirects HTTP to HTTPS and serves HSTS is doing the basics right.
What This Means for You
As a visitor, the rule is simple: never type anything sensitive into a page your browser marks "Not Secure", and treat the padlock as proof of encryption only - A phishing site with perfect HTTPS is still a phishing site, so judge identity by the domain, not the lock. As a site owner, there is no remaining excuse: certificates are free and auto-renewing via Let's Encrypt, browsers shame plain HTTP, and search engines reward HTTPS. Redirect all HTTP to HTTPS, enable HSTS, and keep an eye on certificate expiry - The checks above take a minute and catch the common failures.
Frequently Asked Questions
Can my ISP see what I do on HTTPS websites?
Partially. Your ISP can see which domains you connect to and how much data flows, but not the pages you read, the searches you type, or anything you submit. Hiding the domain-level metadata as well requires encrypted DNS plus a VPN or Tor.
Why does a padlock not mean a website is trustworthy?
Because certificates verify domain control, not honesty - Anyone, including scammers, can get a free valid certificate for a domain they own. The padlock means your connection to that domain is encrypted. Whether the domain itself is legitimate is a separate judgement based on its spelling, age, and reputation.
Is HTTPS slower than HTTP?
Not meaningfully on modern stacks. TLS 1.3 needs one round trip to establish encryption and can resume sessions with zero, while HTTP/2 and HTTP/3 - Available only over encrypted connections - Often make HTTPS sites faster in practice than plain HTTP ever was.