What Is HTTPS — and What Does That Padlock Mean?

When you visit a website, your browser's address bar shows either http:// or https:// at the start of the URL. The "S" in HTTPS stands for "secure," and it signals that the connection between your browser and the website is encrypted. But what does that actually mean, and why does it matter?

This article breaks down how HTTPS works — without requiring a background in cryptography.

The Problem HTTPS Solves

When you send data over the internet, that data travels through multiple computers and networks before reaching its destination. On a plain HTTP connection, that data is unencrypted — meaning anyone with access to your network traffic (at a coffee shop Wi-Fi, for example, or at your internet service provider) could potentially read it.

Logging into a website over HTTP would expose your username and password in plaintext. HTTPS prevents this by encrypting the data so that only your browser and the destination server can read it.

The Building Blocks: TLS

HTTPS is HTTP layered on top of a protocol called TLS (Transport Layer Security). TLS does three important things:

  1. Encryption: It scrambles the data in transit so eavesdroppers see gibberish.
  2. Authentication: It verifies that you're actually talking to the website you intended to reach, not an impersonator.
  3. Integrity: It ensures data hasn't been tampered with in transit.

The TLS Handshake: How It Works Step by Step

Before any data is exchanged, your browser and the server perform a "handshake" — a rapid negotiation that sets up the encrypted channel:

  1. Client Hello: Your browser contacts the server and says, "Here are the encryption methods I support."
  2. Server Hello: The server responds with its chosen encryption method and sends its digital certificate.
  3. Certificate Verification: Your browser checks the certificate against a list of trusted Certificate Authorities (CAs) — organisations that have verified the server's identity. If the certificate is valid and trusted, the process continues.
  4. Key Exchange: Browser and server agree on a shared secret key using asymmetric (public-key) cryptography — without ever transmitting the key itself over the network.
  5. Encrypted Session Begins: All data from this point is encrypted using that shared key.

This entire handshake takes milliseconds.

What HTTPS Does Not Protect

It's important to understand HTTPS's limits:

  • It doesn't make a website trustworthy. Scam and phishing sites can and do use HTTPS. The padlock means the connection is encrypted — not that the site is legitimate.
  • It doesn't hide which website you're visiting. Your ISP or network operator can see the domain name (e.g. nkpl.info) even over HTTPS — just not the specific page or content.
  • It doesn't protect you once data reaches the server. How a website stores and handles your data after you send it is a separate matter.

Why Almost Every Website Now Uses HTTPS

For most of the web's history, HTTPS was used only by sites handling sensitive information like banking or e-commerce. That changed over the past decade for several reasons:

  • Free TLS certificates became available through services like Let's Encrypt, removing the financial barrier.
  • Major browsers (Chrome, Firefox) began marking plain HTTP sites as "Not Secure."
  • Search engines began treating HTTPS as a positive ranking signal.

Today, the vast majority of web traffic is encrypted by default — a substantial improvement in baseline privacy for ordinary users.

Key Takeaways

  • HTTPS encrypts data between your browser and a website using the TLS protocol.
  • It protects against eavesdropping and tampering in transit.
  • A padlock means the connection is encrypted — not that the site is safe or honest.
  • Free certificate services like Let's Encrypt have made HTTPS near-universal.