What is HTTPS?

HTTP vs HTTPS

HTTP (HyperText Transfer Protocol) is the foundation of data communication on the web. When you visit a website, your browser sends HTTP requests and receives HTTP responses. The problem: HTTP sends everything in plain text. Anyone between you and the server — your ISP, a router, someone on the same WiFi — can read or modify the traffic.

HTTPS (HTTP Secure) adds a layer of encryption called TLS (Transport Layer Security) on top of HTTP. Your browser and the server negotiate an encrypted connection before any data is exchanged, so all traffic is unreadable to anyone in between.

As of 2024, over 95% of web traffic is HTTPS. Browsers actively warn users about HTTP-only sites. Sending passwords, payment info, or personal data over HTTP is a security violation.

What TLS actually does

TLS (Transport Layer Security) provides three guarantees:

How the TLS handshake works

Before any HTTPS data flows, the browser and server negotiate a secure connection through a "handshake" — typically taking under 100ms:

Browser → Server:  "Hello, I support TLS 1.3, here are my cipher suites"
Server  → Browser:  "Hello, I'll use TLS 1.3 + AES-256-GCM"
Server  → Browser:  "Here's my certificate (signed by a trusted CA)"
Browser validates:  "Certificate is valid, I trust this server"
Both sides:         Generate a shared session key using key exchange
Both sides:         All further communication is encrypted with that key

The session key is created using asymmetric cryptography (so it can be shared without sending the key in plain text) but all actual data is encrypted with the faster symmetric encryption.

SSL certificates

An SSL/TLS certificate is a digital document that proves who owns a domain. Issued by trusted organizations called Certificate Authorities (CAs) — Let's Encrypt, DigiCert, Sectigo, and others.

HTTPS for developers

# Get a free certificate with Let's Encrypt (via Certbot)
certbot --nginx -d example.com -d www.example.com

# Most modern hosting handles this automatically:
# - Vercel, Netlify, Cloudflare: auto-provisioned
# - AWS: ACM (Certificate Manager) provides free certs for AWS services

# Check your site's TLS config
openssl s_client -connect example.com:443

# Force HTTPS redirect in nginx
server {
  listen 80;
  return 301 https://$host$request_uri;
}

Frequently asked questions

Does HTTPS mean a site is safe to use?

Not exactly. HTTPS means the connection between you and the server is encrypted and you're talking to the right server. It says nothing about what the server does with your data. Phishing sites can and do have valid HTTPS certificates. The padlock means encrypted, not trustworthy.

What is SSL and is it different from TLS?

SSL (Secure Sockets Layer) was the original protocol, first released in 1995. TLS (Transport Layer Security) is its successor, first standardized in 1999. SSL 3.0, TLS 1.0, and TLS 1.1 are all deprecated and insecure. Modern systems use TLS 1.2 or TLS 1.3. Despite this, people still say 'SSL certificate' when they mean a TLS certificate — the terms are used interchangeably in practice.

Does HTTPS slow down my site?

Negligibly with TLS 1.3 and modern hardware. The one-time handshake takes about 1 round trip (vs 2 for TLS 1.2). Session resumption lets subsequent connections skip the full handshake. HTTP/2 and HTTP/3 — which bring significant performance improvements — require HTTPS. So paradoxically, HTTPS sites can load faster than HTTP because they can use the newer protocols.