HTTPS and SSL Explained: What the Padlock Actually Means

Every time you visit a website, your browser displays a small padlock icon — or, on insecure sites, a warning. You probably know the padlock means something good and the warning means something bad. But what’s actually happening underneath, and why does it matter for your security?

HTTP vs. HTTPS: The Difference

HTTP (Hypertext Transfer Protocol) is the protocol your browser uses to request and receive web pages. It works, but it has one significant problem: all data travels in plaintext. Anyone between you and the website — your ISP, someone on the same Wi-Fi network, or a network device along the route — can read everything: the page content, what you type into forms, login credentials, everything.

HTTPS is HTTP with encryption layered on top. The “S” stands for Secure. When you connect to an HTTPS site, your browser and the server establish an encrypted channel before any data is exchanged. Traffic is scrambled in transit — unreadable to anyone who intercepts it.

SSL and TLS: The Same Thing, Different Eras

You’ll hear both “SSL” and “TLS” used to describe web encryption. They refer to the same family of protocols:

SSL (Secure Sockets Layer) was the original protocol, developed by Netscape in the 1990s. SSL 1.0, 2.0, and 3.0 all had serious security vulnerabilities and are now retired.

TLS (Transport Layer Security) is the modern successor — TLS 1.2 and TLS 1.3 are what websites actually use today. TLS 1.3, released in 2018, is the current standard: faster to establish connections and more secure than its predecessors.

Despite this, “SSL” became the common shorthand for web encryption, and the industry largely kept using it. When someone says “SSL certificate” or “SSL encryption,” they almost always mean modern TLS. The terms are used interchangeably in most contexts.

How HTTPS Actually Works

When your browser connects to an HTTPS website, a process called the TLS handshake happens in milliseconds:

1. Hello Your browser tells the server which TLS versions and encryption algorithms it supports. The server responds with its choice and its SSL/TLS certificate.

2. Certificate verification Your browser examines the certificate. It checks:

• Is this certificate for the domain you’re visiting? (prevents impersonation)
• Was it issued by a trusted Certificate Authority?
• Is it still within its validity period?
• Has it been revoked?

If any check fails, your browser shows a security warning and refuses the connection.

3. Key exchange Using the verified certificate, your browser and the server perform a cryptographic key exchange — negotiating a unique session key that only they know. This happens via asymmetric encryption (public/private key pairs), but the actual data transfer uses faster symmetric encryption with the agreed session key.

4. Encrypted communication begins All subsequent traffic is encrypted with the session key. Even if someone captures the data packets, they see unreadable ciphertext.

What SSL/TLS Certificates Are

A certificate is a digital document that proves a website’s identity. It contains:

• The domain name it’s valid for
• The organization it was issued to (for some certificate types)
• The issuing Certificate Authority (CA)
• The certificate’s validity period
• A public key used in the encryption process

Certificates are issued by Certificate Authorities — organizations that verify the identity of websites and vouch for their certificates. Your browser and operating system come pre-loaded with a list of trusted CAs (like DigiCert, Sectigo, and Let’s Encrypt). When a website presents a certificate signed by a trusted CA, your browser accepts it.

Types of Certificates

Domain Validation (DV): The CA verifies only that the applicant controls the domain. Quick to issue, often free. Provides encryption but doesn’t verify anything about the organization behind the site.

Organization Validation (OV): The CA verifies domain ownership plus basic organizational information. Requires more documentation. Shows company details in the certificate.

Extended Validation (EV): The most rigorous verification — thorough identity checks of the organization. Previously displayed the company name in the address bar; most browsers have phased this out visually.

For personal sites and most businesses, DV certificates (like those from Let’s Encrypt) are perfectly appropriate.

Let’s Encrypt: Free Certificates for Everyone

Until 2016, SSL certificates cost $50–$300/year, creating a financial barrier to HTTPS adoption. Let’s Encrypt changed this by providing free, automated DV certificates backed by major tech companies.

Today, most web hosts (Cloudflare, Netlify, Vercel, and virtually all modern hosting platforms) automatically provision Let’s Encrypt certificates. HTTPS is now effectively free and automatic for any website — there’s no excuse for running HTTP-only sites.

What HTTPS Does and Doesn’t Protect

HTTPS protects:

• Data in transit between your browser and the server
• Login credentials and form submissions from interception
• The content of pages you view from passive network observers

HTTPS does not protect:

• The fact that you visited a site (your ISP and DNS resolver can see domain names)
• The website itself from being hacked at the server level
• You from a malicious website — phishing sites use HTTPS too
• Your data once it reaches the server — how it’s stored and used is the server’s business

This last point trips people up: the padlock means the connection is encrypted, not that the website is trustworthy or safe. A convincing phishing site can have a valid HTTPS certificate. Always verify the domain name, not just the padlock.

Mixed Content: When HTTPS Goes Wrong

A page served over HTTPS that loads resources (images, scripts, iframes) over HTTP has a “mixed content” problem. The HTTP resources can be intercepted and tampered with, undermining the page’s security.

Modern browsers block mixed content by default or show warnings. If you’re building a website, ensure all resources — fonts, images, scripts, API calls — use HTTPS URLs.

Why This Matters for Everyday Use

On public Wi-Fi: HTTPS protects your data even on untrusted networks. Your coffee shop browsing on HTTPS sites is encrypted. HTTP sites expose everything to anyone on the network.

For login forms: Never enter credentials on a page without HTTPS. Legitimate services don’t ask you to.

For online shopping: Your card details are protected in transit when HTTPS is present. This doesn’t mean the site storing your data is secure — but transit-level protection is the baseline expectation.

When you see a browser warning: Take it seriously. “Your connection is not private” means certificate validation failed — possible reasons include an expired certificate, a misconfigured server, or an active attack. Don’t proceed, especially on a site where you’d enter sensitive information.

---

HTTPS is the foundation of web security. Understanding what it actually provides — encrypted transit, not guaranteed trustworthiness — helps you make better decisions online and explains why security advice consistently prioritizes it as a baseline requirement.