What Is HTTPS? | NOC.org

Understanding HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is the encrypted version of HTTP, the protocol your browser uses to communicate with web servers. When you visit a site over HTTPS, all data exchanged between your browser and the server — page content, form submissions, cookies, and headers — is encrypted using TLS (Transport Layer Security). This prevents eavesdropping, tampering, and impersonation.

HTTPS has moved from being a feature reserved for banking and e-commerce sites to a baseline requirement for every website. Major browsers now mark HTTP sites as "Not Secure," and search engines factor HTTPS into their ranking algorithms.

HTTP vs. HTTPS

The difference between HTTP and HTTPS comes down to encryption and authentication:

• HTTP: Data is sent in plaintext. Anyone on the network path — Wi-Fi operators, ISPs, attackers — can read the full content of requests and responses. There is no verification that you are actually communicating with the intended server.
• HTTPS: Data is encrypted using TLS. Even if traffic is intercepted, it cannot be read without the encryption keys. The server presents a digital certificate that proves its identity, preventing impersonation.

Both protocols use the same underlying HTTP semantics (GET, POST, status codes, headers). HTTPS simply adds a TLS layer between TCP and HTTP, which is why it is sometimes referred to as "HTTP over TLS."

The TLS Handshake

Before any encrypted data is exchanged, the browser and server perform a TLS handshake to establish a secure connection. The modern TLS 1.3 handshake works as follows:

• Client Hello: The browser sends its supported cipher suites and a key share to the server.
• Server Hello: The server selects a cipher suite, sends its own key share, and provides its TLS certificate.
• Certificate Verification: The browser verifies the certificate against trusted Certificate Authorities (CAs) to confirm the server's identity.
• Key Derivation: Both sides derive shared encryption keys from the exchanged key material.
• Encrypted Communication: All subsequent data is encrypted with the negotiated keys.

TLS 1.3 completes this handshake in a single round trip (1-RTT), and supports 0-RTT resumption for returning connections, making HTTPS nearly as fast as HTTP in practice.

Why HTTPS Matters

HTTPS is essential for three reasons:

• Security: Encryption protects sensitive data like login credentials, payment information, and personal details from interception. It also prevents attackers from injecting malicious content into pages (a common attack on public Wi-Fi networks).
• SEO: Google has used HTTPS as a ranking signal since 2014. Sites served over HTTP may be penalized in search results compared to equivalent HTTPS sites.
• Trust: Browsers display a padlock icon for HTTPS sites and a "Not Secure" warning for HTTP sites. Users have been trained to look for these indicators, and an HTTP warning can drive visitors away, especially on pages that collect any form of input.

HSTS Enforcement

Simply having an SSL certificate is not enough — you also need to ensure that users always connect over HTTPS. The HTTP Strict Transport Security (HSTS) header tells browsers to only communicate with your site over HTTPS, even if a user types http:// or clicks an HTTP link.

A typical HSTS header looks like: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. This instructs browsers to enforce HTTPS for one year, include all subdomains, and allows the domain to be added to browser preload lists for protection on first visit.

HSTS is one of several important security headers that work alongside HTTPS to harden your site. Combined with a properly configured TLS certificate and a CDN that enforces HTTPS at the edge, you can ensure that every connection to your site is encrypted end-to-end. For additional client-side protection, a well-configured Content Security Policy can prevent mixed content and other security issues.