🔒Security

HTTPS and TLS Certificates: What They Actually Guarantee

HTTPS means the site is secure — that's what most people believe. It's partially true. Here's what HTTPS actually protects and what you might still be wrong about.

EKBy Elena Kovac · Security & Privacy AnalystJanuary 28, 20266 min read

Free to read

The browser padlock icon created a myth: padlock = safe. Security trainers have been trying to undo this for a decade. Here's what the padlock actually tells you.

What HTTPS Guarantees

Two things, precisely.

First: your connection to the server is encrypted. Data in transit can't be read by eavesdroppers — your ISP, someone on the same Wi-Fi, a network device in between. This is the meaningful protection most people intuitively understand.

Second: the certificate was issued to the domain you're connecting to by a certificate authority your browser trusts. This means the server is very likely the legitimate operator of that domain.

What HTTPS Does Not Guarantee

Whether the site is trustworthy. Whether it's a phishing site. Whether your data will be safely stored after it arrives. Whether the site owner is who they say they are.

In 2024, over 80% of phishing sites use HTTPS. Getting a certificate is free and takes minutes with Let's Encrypt. Attackers register legitimate-looking domains, set up HTTPS, and run convincing phishing sites.

Extended Validation vs Domain Validated Certificates

Domain Validated (DV) certificates — which is what most sites use — only verify domain ownership. No identity verification beyond 'this person controls the DNS of this domain.' Extended Validation (EV) certificates required rigorous identity verification of the organization. Browser vendors removed prominent EV certificate display in 2019 because research showed users didn't use it to make security decisions. Most sites use DV certificates today, including major banks and financial institutions.

Certificate Expiration: Why Sites Break

HTTPS certificates expire — usually after 90 days (Let's Encrypt) or 1 year (commercial certificates). When a certificate expires and isn't renewed, browsers show a scary warning page and many users can't proceed. This is intentional — it's better to show a warning than silently allow an expired certificate that might indicate an abandoned or compromised site. If you run a site, set up automatic certificate renewal. If you see an expired certificate warning on a site you trust, contact the site administrator — their auto-renewal probably failed.

Generate SHA-256 hash to verify file integrity →

Frequently Asked Questions

What does HTTPS actually protect?+

HTTPS provides two guarantees. First, encryption: the data transmitted between your browser and the server is encrypted, so someone intercepting the traffic (on your network, at your ISP, between servers) sees encrypted data they can't read. Second, authentication: your browser has verified that the server's certificate was issued by a trusted certificate authority, confirming the server is (probably) who it claims to be. What HTTPS doesn't protect: it says nothing about whether the website owner is trustworthy, whether the site is malicious, or whether your data is safely handled after it reaches the server.

What is the difference between SSL and TLS?+

SSL (Secure Sockets Layer) was the original protocol, deprecated years ago due to security vulnerabilities. TLS (Transport Layer Security) is its successor and what 'HTTPS' actually uses today. SSL 2.0 and 3.0 are both broken. TLS 1.0 and 1.1 are deprecated. Current security requires TLS 1.2 or TLS 1.3, with 1.3 preferred for performance and security. The term 'SSL certificate' is still used colloquially to mean TLS certificate because the marketing never caught up with the technology. When someone says SSL, they mean TLS. The protocols are different but the certificates work the same way.

What is Let's Encrypt and why is it important?+

Let's Encrypt is a free, automated certificate authority that has made HTTPS accessible to everyone. Before Let's Encrypt (launched 2015), getting an HTTPS certificate cost $50-300/year and involved a manual validation process. Let's Encrypt issues free certificates that auto-renew every 90 days, with no manual intervention required once configured. This transformed HTTPS from something large companies did to something any site can have. The HTTPS adoption rate went from under 40% of web traffic in 2016 to over 90% today, largely because of Let's Encrypt eliminating the cost and complexity barrier.

Can I trust a phishing site that has HTTPS?+

Yes, and this is a critical misconception to correct. HTTPS only verifies that the connection between your browser and the server is encrypted and that the certificate belongs to the domain you're visiting. A phishing site like paypa1.com can have a completely valid, legitimate HTTPS certificate — it just certifies the connection to paypa1.com, not that paypa1.com is trustworthy. Attackers absolutely use HTTPS for phishing sites. A padlock icon means the connection is encrypted; it says nothing about whether the site owner is honest. Always verify the domain name you're on, not just the padlock.

🔧 Free Tools Used in This Guide

Sha256 Hash Generator Password Generator

Elena Kovac

Security & Privacy Analyst · 8+ years experience

Elena spent eight years as an application security analyst, auditing document-handling pipelines and password hygiene at mid-market firms. She covers PDFs, password generation, file-processing privacy, and the trade-offs between convenience and safety online.

View all posts by Elena Kovac →

Tags:

securitynetworkinghttpstls

Continue Reading

🔍

Browser Fingerprinting: Why Clearing Cookies Doesn't Make You Private

6 min read

🛡️

VPN Privacy Claims: What's True, What's Marketing

7 min read