The One Sentence Definition
HTTPS is the secure version of HTTP, the protocol your browser uses to load websites. The "S" comes from TLS (Transport Layer Security), which encrypts the connection between your browser and the website, so nobody in between can read or tamper with the data. The padlock in your address bar means TLS is active.
What HTTPS/TLS Actually Protects
- Confidentiality: Data between you and the site is encrypted. Someone snooping your network (on public WiFi, say) sees scrambled bytes, not your password or messages.
- Integrity: Data can't be altered in transit without detection. Nobody can inject content or change what you sent.
- Authentication: The site presents a certificate proving it really is the domain it claims. This is what stops a network attacker from silently impersonating your bank (the man-in-the-middle defence).
Together, these are why HTTPS killed the old era of password-sniffing on shared networks. It's foundational to modern web security, and why browsers now label plain HTTP sites "Not Secure".
How It Works (Briefly)
When you connect, your browser and the server perform a TLS handshake: they verify the server's certificate (issued by a trusted Certificate Authority), agree on encryption keys, and switch to an encrypted channel. From then on, everything is scrambled with keys only the two of you hold. The certificate is the trust anchor: it's how your browser knows it's really talking to the genuine site and not an impostor.
The critical nuance: HTTPS proves the connection is encrypted and that you're talking to whoever owns that exact domain. It does NOT prove that whoever owns the domain is honest.
Why the Padlock Isn't a Safety Guarantee
This trips up almost everyone. Most phishing sites use HTTPS. Free certificates are easy to get, so paypa1-secure.com can show a perfectly valid padlock while stealing your password. The padlock means "your connection to this site is encrypted", not "this site is trustworthy". Two lessons follow:
- Check the domain, not just the padlock. Encryption to a scam site is still a scam. Read the actual domain name carefully (our phishing guide trains this).
- Absence of the padlock is a hard stop. "Not Secure" on a login page means never enter credentials there. Presence of the padlock is necessary, not sufficient.
Where You Rely on It
- Every login, payment, and form submission should be over HTTPS, always.
- It's what makes public WiFi survivable (our public WiFi guide).
- It protects the Base64-encoded credentials in things like Basic Auth, which are otherwise readable.
- It underpins the certificate trust that makes browsing safe from network impersonation.
Frequently Asked Questions
Is HTTP still dangerous in 2026?
For anything sensitive, yes. Plain HTTP sends everything in cleartext, readable and alterable by anyone on the network path. Modern browsers warn against it, and most of the web has moved to HTTPS. Never log in or enter payment details on an HTTP page.
Does the padlock mean a website is safe?
No, and this is the single most important misconception. The padlock means encrypted connection to that domain, nothing about the site's honesty. Phishing sites routinely have padlocks. Judge safety by the domain name and your trust in the operator, not the lock icon.
What's the difference between HTTPS, TLS, and SSL?
HTTPS is HTTP running over TLS. TLS is the encryption protocol. SSL is TLS's older, now-deprecated predecessor; people still say "SSL certificate" out of habit, but the technology is TLS. Practically, they refer to the same padlock-in-the-browser security.
Can HTTPS be intercepted?
Properly implemented HTTPS resists network interception because of the certificate check and encryption. It can be undermined by a rogue certificate authority, malware installing a fake root certificate on your device, or you clicking through a certificate warning. Never bypass a "connection not private" warning: that's the protection doing its job.
Do I need HTTPS on my own website?
Yes, universally. It's free (Let's Encrypt), expected by browsers (which flag its absence), required for modern features, and a mild SEO factor. Any site handling logins or forms, and really every site, should be HTTPS. Our WordPress security guide lists it among the basics.