HTTPS
HTTP Secure
HTTP with a TLS encryption layer — the standard protocol for all modern websites, ensuring that only your browser and the server can read the traffic between them.
HTTPS is HTTP running inside a TLS tunnel. The protocol is identical to HTTP — the same methods, headers, status codes, and request/response structure — but before any HTTP data flows, the browser and server perform a TLS handshake to establish an encrypted channel. The padlock icon in your browser's address bar signals that this encryption is active and the server's identity has been verified by a trusted certificate authority.
What HTTPS protects
| Data | HTTP | HTTPS |
|---|---|---|
| Domain name | Visible | Visible (in DNS + SNI) |
| URL path and query | Visible | Encrypted |
| Page content | Visible | Encrypted |
| Cookies and sessions | Visible | Encrypted |
| Form submissions | Visible | Encrypted |
How TLS wraps HTTP
When your browser opens an HTTPS connection, it first completes a TCP three-way handshake, then immediately begins a TLS handshake before sending any HTTP request. During the TLS handshake, the browser and server negotiate a cipher suite, the server presents its certificate, and both sides derive session keys using a key-exchange algorithm (ECDHE in modern TLS). Only after the handshake completes does the encrypted HTTP request travel. The TLS record layer wraps each HTTP message in an encrypted envelope — an observer on the network can see the destination IP and the SNI hostname from the ClientHello, but nothing else.
TLS handshake performance: 1.2 vs 1.3
TLS 1.2 requires two round trips before the first HTTP byte: one for the TLS ClientHello/ServerHello, and one for the key exchange and Finished messages. TLS 1.3 reduces this to one round trip by combining key exchange into the first message. Additionally, TLS 1.3 supports 0-RTT resumption — if the client has previously connected to the server, it can include encrypted data in the very first packet, adding zero latency. On a 50 ms round-trip connection, TLS 1.3 saves ~50 ms versus 1.2 on the initial connection.
TLS session resumption (both 1.2 session tickets and 1.3 session resumption) eliminates the handshake overhead entirely on reconnects. AES-128-GCM encryption used in TLS 1.3 is hardware-accelerated via AES-NI instructions present in all modern CPUs, adding negligible CPU overhead at gigabit speeds. The practical performance cost of HTTPS over HTTP is under 1% of total page load time on modern hardware and networks.
Certificate types: DV, OV, EV
TLS certificates are issued at three validation levels:
- DV (Domain Validation): The CA verifies only that you control the domain — no identity check. Issued in seconds via automated challenges. Let's Encrypt issues only DV certificates. Sufficient for the vast majority of websites.
- OV (Organisation Validation): The CA verifies the domain and the legal identity of the organisation. Takes hours to days. Displays the organisation name in certificate details.
- EV (Extended Validation): The most rigorous vetting — legal, physical, and operational existence verified. Historically displayed a green bar with the company name in browsers, though most browsers have removed the visual distinction. Primarily used by banks and government sites.
From a cryptographic security standpoint, all three validation levels provide identical encryption. The difference is only in how much you trust the entity behind the certificate.
HTTPS and SEO
Google confirmed HTTPS as a ranking signal in 2014 and has strengthened its weight since. Chrome marks HTTP pages as "Not secure" in the address bar, which increases bounce rates. Google Search Console reports HTTP and HTTPS versions of a site separately — a site that serves both creates duplicate content issues. The practical SEO guidance is: serve all content over HTTPS, redirect all HTTP to HTTPS with 301 redirects, and set a canonical URL to the HTTPS version.
Mixed content
A page served over HTTPS that loads any resource (image, script, stylesheet, iframe) over plain HTTP has mixed content. Browsers treat this as a security issue because the HTTP resource can be intercepted and replaced by a network attacker, potentially compromising the page even though the main document is encrypted. Modern browsers block mixed active content (scripts, iframes) entirely and display a warning for mixed passive content (images). Fixing mixed content requires updating all resource URLs to HTTPS — a common post-migration task when moving a site from HTTP to HTTPS.
HSTS and certificate pinning
Even with HTTPS active, a user's first HTTP request to a domain is sent in plaintext before the server can redirect them. HSTS (HTTP Strict Transport Security) solves this: the Strict-Transport-Security response header tells browsers to connect only via HTTPS for a specified duration, even if the user types http://. The includeSubDomains flag extends this to all subdomains. Adding a domain to the HSTS preload list (hstspreload.org) bakes this behavior into Chrome, Firefox, and Safari without requiring the first HTTP visit.
Certificate pinning is a more aggressive technique where a client hardcodes the expected certificate or public key for a server and refuses connections if the presented certificate doesn't match. Used in mobile apps to prevent man-in-the-middle attacks even with a rogue CA. It carries operational risk — if you rotate the certificate without updating the pin, the app stops working. Web browsers do not support pinning for general sites.
Let's Encrypt and free certificates
Let's Encrypt, operated by the Internet Security Research Group (ISRG), provides free DV certificates via the ACME protocol. Certificates are valid for 90 days and are automatically renewed by ACME clients like Certbot, Caddy, and Traefik. Over 400 million active certificates are issued by Let's Encrypt, making it the world's largest CA by volume. Most web hosts integrate Let's Encrypt directly — enabling HTTPS is often a single checkbox in a control panel. The 90-day validity period is intentional: it forces automation and limits exposure if a private key is compromised.
How to inspect a site's TLS certificate in a browser
In Chrome or Edge, click the padlock icon (or the "tune" icon) in the address bar, then select "Connection is secure" and "Certificate is valid." In Firefox, click the padlock, then "More information" and "View Certificate." You can verify the issuer, validity period, subject alternative names (which domains the certificate covers), and the signature algorithm. The browser's security tab in DevTools also shows the TLS version and cipher suite negotiated for the current connection.
Frequently Asked Questions
What does the padlock in the browser address bar mean?
The connection is encrypted via HTTPS with a valid TLS certificate. Your ISP and network observers can see the domain you connected to but cannot read the page content, URLs, cookies, or form data. Note: a padlock means the connection is encrypted, not that the site itself is trustworthy.
Does HTTPS slow down websites?
Negligibly on modern hardware. TLS 1.3 adds one round trip on the first connection, AES-NI hardware acceleration handles encryption with minimal CPU overhead, and session resumption eliminates handshake latency on reconnects. Total impact is under 1% of page load time.
How do I get HTTPS for my website?
Install a TLS certificate — Let's Encrypt provides free, automatically renewing DV certificates. Configure your server to redirect all HTTP to HTTPS with a 301 redirect and add an HSTS header to ensure all future visits use encrypted connections.