What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is a protocol that encrypts data between your web browser and a web server.


Learning Objectives

After reading this article you will be able to:

  • Define HTTPS
  • Understand how HTTPS secures data between users and servers.
  • Tell the difference between HTTP and HTTPS
  • Know why HTTPS is important for website security
  • Learn how to get HTTPS on a website

Learning Centre

View more resources on cyber security, encryption and the internet.

HTTPS stands for Hypertext Transfer Protocol Secure. It's the secure version of HTTP, the protocol that transmits data between your web browser and a website. Unlike HTTP, HTTPS encrypts the data being sent, so it's private and can't be easily snatched by bad guys. This is important for sensitive data like login credentials, payment info and personal details.

How HTTPS Works

HTTPS uses encryption through SSL (Secure Sockets Layer) or TLS (Transport Layer Security). When you visit a website with an HTTPS URL, a secure connection is established between your web browser and the web server. With a regular HTTP, you’re more susceptible to your most sensitive information being decrypted.

A browser url bar showing a secure https url

Encryption turns plain text into unreadable text. So, even if someone intercepts the data, they can't read its content.

This is done by using a pair of keys – one public and one private. The web server shares its public key with your browser, and the private key stays on the server. The encryption and decryption process ensures only the server can decode the data sent by your browser, and your browser can only decrypt data sent from the server. These keys are created when you purchase or generate an SSL/TLS Certificate, which we will touch on later.

Data being encrypted between a web server and users web browser

What happens if a website doesn't have HTTPS?

HTTPS is necessary to prevent data from being seen or "sniffed" when transmitted over the internet. Data sent via regular HTTP is broken into packets that can be sniffed using free software, making it vulnerable to interception, especially on unsecured networks like public Wi-Fi.

With HTTPS, traffic is encrypted. Even if someone sniffs the packets, the data looks like a stream of gibberish. For example, a readable message like

"This is some text that contains sensitive information."

becomes

“e476ea040d9104d517c4dd9eb733aa867a33254d”

This encryption ensures the data is meaningless if intercepted without the right decryption key, so user privacy is protected.

What port does HTTPS use?

HTTPS uses port 443. Ports are virtual points where network connections start and end, and data is sent and received. When you visit an HTTPS site, the data is sent through port 443, which is encrypted. HTTP uses port 80, which is not encrypted. Using port 443 with HTTPS creates a secure channel between the client computer (your web browser) and the web server.

History of HTTPS

HTTPS was introduced in the 1990s when SSL was developed to secure web communication. Since then, it has evolved to include TLS, which provides stronger encryption and security.

HTTPS adoption has grown a lot in recent years. Google Chrome has started marking HTTP sites as “Not Secure” to encourage website owners to use HTTPS.

How do you know if a site is using HTTPs?

Not sure how to know whether a site you’re on is truly safe? Here’s a few indicators to know if the site is using HTTPs:

“https://” will be found in the front of the URL – if the website address you’re on, begins with https://, this means you’re on an encrypted, secure website.

There is a security padlock symbol on the URL browser – Having a padlock icon on your web browser, means that the site has an SSL/TLS certificate. This verifies that the site you’re on is legitimate.

How do you start using HTTPS with a website?

To start using HTTPS, a website needs to get an SSL/TLS certificate, which is the foundation of the encrypted connection. The process starts by getting this certificate from a trusted Certificate Authority (CA). The certificate verifies the website's identity and its legitimacy so users can trust that the connection is indeed with the intended site and not an imposter. The certificate will contain the public key for decryption.

Once the certificate is obtained, it needs to be installed on the web server. This step involves uploading the certificate file and configuring the server to use it, which can vary depending on the type of server and hosting environment. After installation, the website owner needs to configure the server to force all traffic to go through HTTPS, which often involves setting up server rules to automatically redirect HTTP to HTTPS.