What HTTP Lacks
HTTP (HyperText Transfer Protocol) was designed in the early days of the web when the internet was a small academic network and security was not a primary concern. Every HTTP request and response travels as plaintext — readable by anyone who can observe the network path between client and server.
That path includes more observers than most people realize: your home router, your ISP's equipment, every transit router between you and the server, and anyone sharing your Wi-Fi network. On an unencrypted connection, any of these can read exactly what page you are viewing, what you type into forms, what cookies identify your session, and what the server sends back. They can also silently modify the content — injecting ads, changing links, or replacing files.
This is not a theoretical threat. ISPs have historically injected tracking pixels into HTTP responses. Attackers on public Wi-Fi networks routinely intercept HTTP traffic. Without encryption, every HTTP connection is a public conversation.
What HTTPS Adds
HTTPS is HTTP running inside a TLS (Transport Layer Security) tunnel. The HTTP protocol itself does not change — requests and responses look identical. What changes is that they are encrypted before being sent and decrypted after being received, using keys that only the client and server possess.
TLS provides three things that plain HTTP lacks:
Confidentiality: Traffic is encrypted so that observers on the network path see only ciphertext. They cannot read the URLs you visit (only the domain name, which is visible in DNS and SNI), your form submissions, your session cookies, or the server's responses.
Integrity: TLS includes a cryptographic message authentication code (MAC) on every record. Any tampering with the data in transit — even flipping a single bit — is detected and the connection is terminated. No one can silently modify your traffic.
Authentication: The server presents a TLS certificate signed by a trusted Certificate Authority. Your browser verifies the certificate chain before completing the handshake. This proves you are talking to the real server for that domain, not an impersonator. Without this, an attacker could intercept the connection and impersonate the server (a man-in-the-middle attack).
HTTP vs HTTPS Comparison
| Feature | HTTP | HTTPS |
|---|---|---|
| Encryption | None — plaintext | TLS — fully encrypted |
| Default port | 80 | 443 |
| Data integrity | No — content can be modified in transit | Yes — any tampering is detected |
| Server authentication | No — you cannot verify who you are talking to | Yes — certificate proves server identity |
| SEO impact | Penalized by search engines | Preferred — Google uses HTTPS as a ranking signal |
| Speed | HTTP/1.1 only | Enables HTTP/2 and HTTP/3 (faster in practice) |
What the Lock Icon Actually Means (and Doesn't Mean)
When you see a lock icon in your browser's address bar, it means two things: your connection to the server is encrypted, and the server presented a valid certificate for that domain. That is all it means.
The lock does not mean the website is safe, legitimate, or trustworthy. A phishing site impersonating your bank can have a perfectly valid HTTPS certificate — obtained for free from Let's Encrypt in minutes. The certificate proves the site is really at that domain, but it says nothing about whether the domain itself is malicious.
Modern browsers have largely removed the lock icon in favor of more nuanced indicators. The absence of a "Not Secure" warning is the baseline expectation — HTTPS is now the norm, not a badge of honor. Users should focus on whether the domain in the address bar is correct, not just whether there is a lock.
Why HTTPS Is Now Universal
A few years ago, HTTPS was mainly used for login pages and payment forms. Today, virtually every site uses HTTPS for all pages. Several forces drove this shift:
Let's Encrypt: Launched in 2016, Let's Encrypt provides free, automated TLS certificates. The cost barrier that previously kept small sites on HTTP disappeared almost overnight.
Browser pressure: Chrome and Firefox began marking HTTP sites as "Not Secure" in 2017, displaying the label prominently in the address bar. The reputational cost of the warning pushed site operators to migrate.
HTTP/2 requires TLS: HTTP/2 brought significant performance improvements, but browser implementations require HTTPS. Sites that wanted faster load times had to migrate to HTTPS to access the new protocol.
Search engine ranking: Google announced HTTPS as a ranking signal in 2014. Sites on HTTP face a small but real SEO penalty compared to their HTTPS equivalents.
The result is that HTTPS now accounts for the vast majority of web traffic. HTTP is effectively a legacy protocol for the web, kept around for backward compatibility but not used for any new sites.
Frequently Asked Questions
Is HTTP safe to use?
No. Plain HTTP transmits all data — including passwords, form submissions, and cookies — as unencrypted text. Any device on the network path between you and the server can read or modify that traffic. Browsers now mark HTTP sites as "Not Secure" and warn users before submitting forms.
What port does HTTPS use?
HTTPS uses port 443 by default, compared to HTTP which uses port 80. When you type a URL without specifying a port, your browser automatically uses port 80 for http:// URLs and port 443 for https:// URLs.
Does HTTPS mean a website is legitimate?
Not necessarily. HTTPS only guarantees that your connection to the server is encrypted and that the server owns the certificate for that domain. A phishing site can have a valid HTTPS certificate. The lock icon means your connection is private, not that the destination is trustworthy.
Is HTTPS slower than HTTP?
Marginally at connection setup, but not in a way users notice on modern hardware. The TLS handshake adds one or two round trips initially. However, HTTPS is required for HTTP/2 and HTTP/3, which are significantly faster than HTTP/1.1. In practice, an HTTPS site running HTTP/2 loads faster than an HTTP site limited to HTTP/1.1.
What happens if I visit an HTTP site?
Your browser displays a "Not Secure" warning in the address bar. Your traffic is sent as plaintext — anyone who can observe the network can see the pages you visit and any data you submit. Many browsers now also block form submissions on HTTP pages or display prominent interstitial warnings.
How do I know if my connection is encrypted?
Look at the URL in your browser's address bar. If it starts with https://, the connection is encrypted with TLS. You can click the security indicator next to the URL to see certificate details, including who issued it and when it expires.