HTTPS and TLS

Encryption, integrity, and authentication for the web

The Three Guarantees

HTTPS is simply HTTP with a TLS (Transport Layer Security) layer underneath. It provides three guarantees:

  • Encryption: Data is encrypted in transit — eavesdroppers can't read it.
  • Integrity: Data can't be modified or corrupted in transit without detection.
  • Authentication: The server proves its identity via a certificate — you're talking to the real server, not an impersonator.

The TLS Handshake (Simplified)

Client                                        Server
   │                                              │
   │  1. ClientHello                              │
   │  "I support TLS 1.3, these ciphers..." ────▶│
   │                                              │
   │  2. ServerHello + Certificate                │
   │  "Let's use TLS 1.3 with this cipher.       │
   │   Here's my certificate to prove I'm        │
   │   example.com" ◀────────────────────────────│
   │                                              │
   │  3. Client verifies certificate              │
   │  (checks CA signature, domain match,         │
   │   expiration date)                           │
   │                                              │
   │  4. Key Exchange                             │
   │  Both sides compute a shared secret          │
   │  using Diffie-Hellman ──────────────────────▶│
   │                                              │
   │  5. Encrypted connection established         │
   │  All HTTP traffic is now encrypted ◀────────▶│
   │                                              │

After the handshake completes, all HTTP traffic flows through the encrypted channel. The URL path, headers, and body are all encrypted — an observer can see the domain name (via SNI) but not the full URL or content.

Certificates and Certificate Authorities

A TLS certificate binds a domain name to a public key. It's issued and signed by a Certificate Authority (CA) — a trusted third party that verifies you own the domain.

  • Let's Encrypt: Free, automated certificates. Made HTTPS accessible to everyone. Used by the majority of websites today.
  • Certificate chain: Your certificate is signed by an intermediate CA, which is signed by a root CA. Browsers trust a built-in list of root CAs.
  • Certificates expire (typically 90 days for Let's Encrypt) and must be renewed — usually automated via ACME protocol.

Why HTTPS Everywhere

  • Security: Prevents eavesdropping, tampering, and impersonation.
  • Privacy: ISPs and network operators can't see what pages you visit (they can see the domain but not the full URL or content).
  • Required for modern features: Service workers, geolocation, camera/mic access, HTTP/2, and many other browser APIs require HTTPS.
  • SEO: Google ranks HTTPS sites higher than HTTP.
  • Trust indicators: Browsers show warnings for HTTP sites ("Not Secure").