HTTP vs HTTPS
HTTP sends everything as plain text. If you log in to an HTTP site over public Wi-Fi, anyone on the same network can read your username and password with a packet sniffer. HTTPS wraps HTTP inside TLS (Transport Layer Security), so all data is encrypted before it leaves your device.
| Feature | HTTP | HTTPS |
|---|---|---|
| Default port | 80 | 443 |
| Encryption | None | TLS (AES-256 typically) |
| Server authentication | None | SSL/TLS certificate |
| Data integrity | No — can be tampered | Yes — HMAC verification |
| SEO ranking | Penalised | Preferred by Google |
| Browser indicator | "Not Secure" warning | Padlock icon |
Symmetric vs Asymmetric Encryption
TLS uses both types of encryption — each for a different purpose:
- Asymmetric encryption (RSA, ECDSA): Uses a public/private key pair. Anything encrypted with the public key can only be decrypted with the private key. Used during the TLS handshake to securely exchange a session key. Slow — not suitable for bulk data.
- Symmetric encryption (AES): Both sides use the same key. Fast — used to encrypt all actual HTTP traffic once the session key is agreed upon.
TLS uses asymmetric encryption to securely establish a symmetric session key, then uses that symmetric key for everything after. This gives you both security (asymmetric key exchange) and performance (symmetric bulk encryption).
The TLS Handshake (TLS 1.3)
TLS 1.3 (current standard) completes the handshake in 1 round trip (vs 2 in TLS 1.2):
In detail:
- ClientHello: Browser sends supported TLS version, list of cipher suites, and a key share (Diffie-Hellman public value).
- ServerHello: Server picks cipher suite, sends its own key share, and its TLS certificate (signed by a CA).
- Certificate verification: Browser checks: Is the certificate signed by a trusted CA? Is the domain name in the certificate? Is it expired? If all pass, the server is authenticated.
- Key derivation: Both sides use the exchanged key shares (ECDHE) to independently derive the same session key — without ever transmitting it. This is the magic of Diffie-Hellman.
- Finished: Both sides send a "Finished" message encrypted with the derived session key, confirming the handshake is complete. All HTTP traffic is now encrypted with AES.
SSL/TLS Certificates
A certificate binds a domain name to a public key, signed by a trusted Certificate Authority (CA). It contains:
- Domain name(s) it is valid for (Subject Alternative Names)
- The server's public key
- Issuing CA name
- Validity dates (typically 90 days for Let's Encrypt, 1 year for commercial CAs)
- Digital signature from the CA
Types of certificates
| Type | Validates | Use Case | Cost |
|---|---|---|---|
| DV (Domain Validated) | Domain ownership only | Blogs, personal sites | Free (Let's Encrypt) |
| OV (Organisation Validated) | Domain + organisation identity | Business sites | $50–$300/yr |
| EV (Extended Validation) | Strict org verification | Banks, e-commerce | $100–$600/yr |
| Wildcard | Domain + all subdomains (*.example.com) | Sites with many subdomains | Varies |
💡 Use Let's Encrypt for Free HTTPS
Let's Encrypt issues free, automated, 90-day DV certificates. Certbot (the recommended client) can auto-renew them. For most developer sites and APIs, a DV certificate is perfectly sufficient — it provides the same level of encryption as an EV certificate.
TLS 1.2 vs TLS 1.3
| Feature | TLS 1.2 | TLS 1.3 |
|---|---|---|
| Handshake round trips | 2 RTT | 1 RTT |
| 0-RTT resumption | No | Yes (with caveats) |
| Weak cipher suites | Allowed (RC4, 3DES) | Removed — all weak ciphers gone |
| Forward secrecy | Optional | Mandatory (ECDHE only) |
| Adoption | ~40% of traffic | ~60% and growing |
Common HTTPS Issues
- Mixed content: Page served over HTTPS but loads an image or script over HTTP — browser blocks or warns. Fix: ensure all resources use HTTPS URLs.
- Certificate expired: Certificates have expiry dates. Let's Encrypt certs expire every 90 days — automate renewal with Certbot.
- Certificate name mismatch: Certificate issued for
www.example.combut visitingexample.com— get a certificate that covers both (or use wildcard). - Self-signed certificate: Fine for local development, but browsers will show a security warning. Never use in production.
⚠️ HTTPS ≠ Safe Site
The padlock means the connection is encrypted — not that the site is trustworthy. Phishing sites routinely use HTTPS. Always check the domain name, not just the padlock.
Measure Your HTTPS Performance
Check TLS handshake time, TTFB, and full HTTP timing breakdown for any URL.
Use HTTP Ping Test →How We Research and Update This Guide
We test the underlying formula or workflow, compare outputs with reliable references, and revise examples whenever the page content changes.
- The workflow or formula is tested directly in the tool and compared against independent reference examples.
- Examples are kept practical so readers can verify the result without hidden assumptions.
- Pages are revised whenever the interface, calculation flow, or surrounding guidance materially changes.
Frequently Asked Questions — HTTPS & TLS
HTTP (HyperText Transfer Protocol) transmits data in plain text — anyone intercepting the network traffic can read it. HTTPS (HTTP Secure) wraps HTTP inside TLS encryption, so data is encrypted in transit. HTTPS also authenticates the server via SSL/TLS certificates, ensuring you are talking to the real website and not an impostor.
SSL (Secure Sockets Layer) was the original protocol, developed in the 1990s. It had several vulnerabilities and was deprecated. TLS (Transport Layer Security) is the modern successor — TLS 1.2 and TLS 1.3 are the current standards. Technically, what most people call "SSL certificates" are actually TLS certificates. The term "SSL" has stuck colloquially even though TLS is what's actually used.
The TLS handshake establishes an encrypted session: (1) The client sends supported TLS versions and cipher suites. (2) The server responds with its chosen cipher suite and sends its SSL certificate. (3) The client verifies the certificate against trusted Certificate Authorities. (4) They exchange keys (in TLS 1.3, via key agreement algorithms like ECDHE). (5) Both sides derive a shared session key and confirm the handshake. All subsequent traffic is encrypted with that session key.
A Certificate Authority (CA) is a trusted organisation that issues and signs SSL/TLS certificates. When a CA signs a certificate, it vouches that the domain owner verified their identity. Browsers and operating systems ship with a list of ~150 trusted root CAs. If a certificate is signed by a trusted CA, your browser shows the padlock. Well-known CAs include DigiCert, Sectigo, and Let's Encrypt (free, automated).
No. HTTPS encrypts data in transit and authenticates the server, but it does not protect against: (1) Attacks on the server itself (SQL injection, XSS). (2) Malware on the user's device. (3) Attacks after the data is decrypted on the server. (4) Metadata — HTTPS hides content but not the fact that you connected to a domain. A site can serve malware over HTTPS. The padlock means the connection is encrypted, not that the site is safe.
HSTS (HTTP Strict Transport Security) is a security header that tells browsers: "always use HTTPS for this domain, never HTTP". Once a browser has seen the HSTS header, it will automatically upgrade all future requests to HTTPS and refuse to connect over plain HTTP. This prevents SSL-stripping attacks where an attacker downgrades HTTPS to HTTP. Example header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload