HTTPS is HTTP with encryption added, so the data traveling between your browser and a website cannot be read or tampered with by anyone in between. The S stands for secure, and it comes from a layer called TLS that scrambles the connection and verifies you are really talking to the site you think you are. Without it, passwords, payments, and page contents move in plain readable text. With it, they are protected in transit. This explainer covers how HTTPS works, what the padlock actually means, and why plain HTTP is no longer acceptable for real sites.
How HTTPS works
HTTPS wraps ordinary HTTP requests inside an encrypted channel. When your browser connects, the site presents a TLS certificate issued by a trusted authority, which proves the site owns its domain. The browser and server then agree on encryption keys through a handshake, and from that point every request and response is scrambled. An eavesdropper on the same network sees only unreadable data, not your password or the page you loaded. The connection still relies on DNS to find the server first; HTTPS secures what happens after.
HTTP versus HTTPS
| Factor |
HTTP |
HTTPS |
| Encryption |
None, plain text |
Encrypted via TLS |
| Identity check |
None |
Certificate verifies the domain |
| Tampering |
Possible in transit |
Detected and prevented |
| Browser treatment |
Marked not secure |
Standard, no warning |
| Suitable for |
Almost nothing today |
Everything |
The practical takeaway is that there is no good reason to serve a public site over plain HTTP in 2026. Certificates are free and automated, and browsers actively discourage HTTP.
What the padlock really means
The padlock icon in the address bar confirms one thing: the connection is encrypted and the certificate is valid for that domain. It does not confirm the site is honest, safe, or run by who you assume. Scam sites can and do use HTTPS, because getting a certificate only proves control of a domain, not good intentions.
// what the padlock confirms, and what it does not
confirms -- traffic is encrypted, domain owns a valid cert
does NOT confirm -- the site is legitimate or trustworthy
Treat the padlock as a baseline, not a seal of approval.
How to think about it
- Expect HTTPS everywhere. If a site asking for data is on plain HTTP, leave.
- Read the domain, not just the padlock. Phishing sites use real certificates on lookalike domains.
- Use it for your own projects. Free automated certificates make HTTPS the default, not a luxury.
- Watch for certificate warnings. A browser warning about an invalid certificate is worth heeding.
What to skip
- Do not trust the padlock as proof of legitimacy. It means encrypted, not safe.
- Do not deploy a public site on plain HTTP. Certificates are free and expected.
- Do not ignore certificate errors. They can signal a misconfiguration or an attack.
- Do not assume HTTPS hides everything. It encrypts content, but the domain you visit is still visible to the network.
FAQ
What is the difference between HTTP and HTTPS?
HTTPS is HTTP with TLS encryption layered on. It protects data in transit and verifies the site domain, while plain HTTP sends everything in readable text with no identity check.
Does the padlock mean a site is safe?
No. The padlock means the connection is encrypted and the certificate is valid for the domain. A malicious site can still use HTTPS, so it is not proof of trustworthiness.
Is HTTPS slower than HTTP?
The difference is negligible on modern hardware and networks. The encryption handshake adds a tiny amount of setup, far outweighed by the security benefit.
Do I need HTTPS for a small personal site?
Yes. Certificates are free and automated, browsers flag plain HTTP as not secure, and search engines favor HTTPS. There is no real reason to skip it.
Where to go next
Start with the underlying protocol in what HTTP is, understand how names resolve with what DNS is, and go further with how to protect your privacy online.