How HTTPS Actually Works (The Non-Technical Explanation That's Still Accurate)

SSL (Secure Sockets Layer) is the original protocol, now deprecated and insecure. TLS (Transport Layer Security) is the modern replacement. SSL 3.0 was broken by the POODLE attack in 2014. TLS 1.0 and 1.1 have vulnerabilities. Current secure standard is TLS 1.2 (minimum) or TLS 1.3. When people say 'SSL certificate' they almost always mean a TLS certificate — the terminology stuck even after SSL was replaced. If a server is using SSL or TLS 1.0, modern browsers will warn users or refuse connection.

HTTPS means the connection is encrypted — data in transit is protected from eavesdropping. It does not mean the website is trustworthy or legitimate. Phishing sites can have valid HTTPS certificates. Scam websites have HTTPS. Malware distribution sites have HTTPS. The certificate proves the domain is who it claims to be (not a man-in-the-middle), but it says nothing about the site's legitimacy or whether its operators are honest. The padlock is a connection security indicator, not a site trustworthiness indicator.

Without HTTPS, all data between your browser and the server is transmitted in plaintext. Anyone on the same network — at a coffee shop, on a corporate network, at an ISP — can read the traffic. This includes login credentials, form submissions, cookies, and the content of pages you view. Your ISP can also inject ads into unencrypted HTTP traffic (this has been documented as a practice). For modern websites, there's no legitimate reason to serve content over HTTP. Let's Encrypt provides free TLS certificates, making the cost excuse obsolete.

A Certificate Authority (CA) is an organization that browsers trust to verify website identities. When a site gets a TLS certificate, they prove to the CA that they control the domain (usually via DNS records or file upload). The CA signs the certificate with their private key. Browsers come with a built-in list of trusted CAs. When you visit a site, your browser checks the certificate chain — the site's certificate must be signed by a CA your browser trusts. If someone tried to intercept your traffic with a fake certificate, it wouldn't be signed by a trusted CA and your browser would show a security warning.