From HTTP to HTTPS: What Changed?

When the web was young, browsers communicated with servers using HTTP (HyperText Transfer Protocol) — plain text sent openly across the network. Anyone positioned between your device and the server (say, on a public Wi-Fi network) could read everything: your passwords, messages, credit card numbers. Everything.

HTTPS (HTTP Secure) solved this by wrapping HTTP inside an encryption layer called TLS (Transport Layer Security, formerly SSL). Today, the padlock icon in your browser confirms that your connection is encrypted and that you're genuinely talking to the server you intended to reach.

The Three Goals of HTTPS

  • Confidentiality: Your data is encrypted in transit — interceptors see gibberish, not content.
  • Integrity: Data cannot be tampered with in transit without detection.
  • Authentication: You can verify you're talking to the real website, not an impostor.

What Is a TLS Certificate?

A TLS certificate is a digital document issued by a trusted Certificate Authority (CA) — organizations like DigiCert, Let's Encrypt, or Comodo. The certificate contains:

  • The website's domain name
  • The website owner's public key
  • The CA's digital signature (proving the certificate is legitimate)
  • An expiry date

Your browser ships with a built-in list of trusted CAs. When a site presents its certificate, the browser checks whether a trusted CA signed it. If not, you get a security warning.

The TLS Handshake: Step by Step

Every HTTPS connection begins with a TLS handshake — a brief negotiation that establishes encryption before any real data is exchanged. Here's what happens:

  1. Client Hello: Your browser contacts the server and announces which TLS versions and encryption algorithms (cipher suites) it supports.
  2. Server Hello: The server responds, choosing a mutual cipher suite and presenting its TLS certificate.
  3. Certificate Verification: Your browser validates the certificate against its trusted CA list and checks it hasn't expired or been revoked.
  4. Key Exchange: Browser and server use asymmetric cryptography (public/private key pairs) to securely agree on a shared session key — without ever sending that key over the network.
  5. Encrypted Session Begins: All subsequent communication uses the session key with fast symmetric encryption (like AES). The handshake is complete.

Asymmetric vs. Symmetric Encryption in HTTPS

HTTPS uses both types of encryption, each for what it does best:

  • Asymmetric encryption (e.g., RSA, ECDH) is used during the handshake to securely exchange keys. It's computationally expensive but allows secure key exchange without prior shared secrets.
  • Symmetric encryption (e.g., AES-256) is used for the actual data transfer. It's extremely fast and efficient — ideal for encrypting the stream of data in a browsing session.

What "Let's Encrypt" Changed

Historically, TLS certificates cost money and required manual setup, keeping HTTPS rare outside major websites. Let's Encrypt, a free, automated CA launched in 2016, changed everything. It made HTTPS accessible to anyone with a domain, driving near-universal adoption. Today, the majority of web traffic is encrypted by default.

What HTTPS Doesn't Protect

It's worth being clear about HTTPS's limits:

  • It encrypts data in transit, not data stored on the server. A hacked server can still expose your data.
  • HTTPS confirms you're talking to the real domain — but that domain could still belong to a malicious actor (phishing sites can have valid HTTPS certificates).
  • It doesn't protect you from malware on your own device.

HTTPS is a foundational layer of internet security — essential, but one part of a broader security picture. Understanding how it works helps you make smarter decisions about the sites and services you trust.