You’ve seen the padlock icon in the address bar a thousand times, and you’ve probably noticed that web addresses start with https:// instead of http://. Most people glance past it. But that tiny lock represents one of the most important pieces of plumbing on the internet — the thing that stops a stranger on your coffee-shop Wi-Fi from reading your password as it flies across the network.
The terms around it — SSL, TLS, HTTPS, certificates — get thrown around interchangeably and often confusingly. So let’s untangle them properly. By the end you’ll know exactly what’s happening when that padlock appears, why it matters for any website you put online, and where the common confusion comes from.
The problem: the internet is a public road
To understand why HTTPS exists, you have to picture what plain HTTP looks like. When your browser talks to a server over ordinary http://, the request and the response travel across the network as plain text — readable by anyone who can see the traffic.
And plenty of people can see the traffic. Your data doesn’t teleport from your laptop to the server. It hops through your Wi-Fi router, your internet provider, and a chain of network equipment in between. Any of those hops could, in principle, read what you sent.
YOU SERVER
(browser) (the website)
│ │
│ "login: john, password: hunter2" │
│ ─────── plain text, readable ────────────► │
│ │
▼ │
Wi-Fi router → ISP → other networks → ...
👀 anyone here can read every word
With plain HTTP, that login above is genuinely sitting there in the open. Three things go wrong:
- Eavesdropping — someone watching the connection can read everything: passwords, messages, card numbers.
- Tampering — someone in the middle can quietly change the data, injecting ads or malicious code into a page before it reaches you.
- Impersonation — you have no proof the server you’re talking to is really the one you wanted. A fake server could pretend to be your bank.
HTTPS exists to solve all three at once. It gives you privacy (nobody can read it), integrity (nobody can change it without you noticing), and authentication (you can verify who you’re really talking to).
So what are SSL and TLS?
Here’s the cleanest way to think about it: SSL and TLS are the lock; HTTPS is what you get when you put that lock on HTTP.
SSL (Secure Sockets Layer) was the original protocol for encrypting web traffic, created in the 1990s. Over the years it was found to have serious weaknesses, so it was replaced by TLS (Transport Layer Security) — a newer, safer protocol that does the same job but properly. SSL is, technically, dead and deprecated.
So why do people still say “SSL” everywhere? Pure habit. The name stuck. When someone says “SSL certificate” or “install SSL,” they almost always mean TLS under the hood. The modern, correct term is TLS, but the word “SSL” survives in everyday speech the way people still “dial” a phone number.
SSL is the old name, TLS is the real thing
If you take one fact from this article: the protocol that actually secures the web today is TLS. “SSL” is a legacy name people keep using out of habit. They almost never mean the literal, obsolete SSL protocol — they mean TLS. So “SSL certificate,” “SSL/TLS,” and “TLS certificate” all point at the same modern technology. Don’t let the mixed names trip you up.
And HTTPS? It’s not a separate protocol at all. HTTPS is simply HTTP running inside a TLS-encrypted connection. Same web requests and responses you already know — just wrapped in a secure tunnel so nobody in the middle can read or change them. The “S” stands for secure, and that security comes entirely from TLS.
HTTP = your web request, in the open
TLS = an encrypted tunnel
HTTPS = HTTP sent *through* the TLS tunnel
What TLS actually gives you
TLS delivers three guarantees, and it’s worth naming them clearly because each one defends against a different attack.
- Encryption (privacy). Everything between your browser and the server is scrambled into unreadable nonsense. Even if someone captures the traffic, all they see is gibberish. Only the two ends hold the key to unscramble it.
- Integrity (no tampering). TLS attaches a tamper-check to the data. If even a single byte is altered in transit, the other side detects it and rejects the message. Nobody can secretly inject or modify anything.
- Authentication (proof of identity). Before encrypting, your browser verifies that the server really is who it claims to be — using a certificate. This is the part that stops an attacker from impersonating your bank.
That last point is the one people overlook, and it’s where certificates come in.
Certificates: proving who you are
Encryption alone isn’t enough. Imagine you set up a perfectly encrypted connection — but to an attacker pretending to be your bank. The encryption is flawless and completely useless, because you’re privately whispering your password to the wrong person.
A TLS certificate solves this. It’s a digital document that proves a server genuinely owns the domain it claims. When your browser connects to example.com, the server presents its certificate, which says, in effect, “I am the legitimate example.com, and here’s proof.”
But anyone can claim anything. What makes a certificate trustworthy is who signed it. Certificates are issued by a Certificate Authority (CA) — an organization your browser and operating system already trust. The CA’s job is to verify that whoever requests a certificate for example.com actually controls example.com before issuing it.
CERTIFICATE AUTHORITY (trusted by your browser)
│ vouches for ↓
▼
example.com's certificate
│ presented to ↓
▼
Your browser: "A CA I trust signed this. OK, you're legit."
Your browser ships with a built-in list of trusted CAs. So the trust flows in a chain: you trust your browser → your browser trusts a list of CAs → a CA vouches for the website. That chain is what the padlock is quietly confirming every time it appears.
The padlock means encrypted, not 'safe'
A common misconception: the padlock proves a site is trustworthy or not a scam. It doesn’t. The padlock only confirms that the connection is encrypted and that the site holds a valid certificate for that domain. A scam site can absolutely get a free certificate and show a padlock. HTTPS protects the connection, not your judgment about who you’re connected to. Always read the domain name, not just the lock.
The TLS handshake, step by step
When you open an https:// page, a quick negotiation happens before any real data moves. It’s called the handshake, and it’s where the secure tunnel gets built. You never see it — it takes a fraction of a second — but here’s what’s going on under the hood.
BROWSER SERVER
│ │
│ 1. "Hello. Here are the encryption │
│ methods I support." │
│ ─────────────────────────────────────────────► │
│ │
│ 2. "Hello. Let's use this method. Here is │
│ my certificate (proof of identity)." │
│ ◄───────────────────────────────────────────── │
│ │
│ 3. Browser checks the certificate against │
│ its trusted CAs. ✓ valid. │
│ │
│ 4. Both sides agree on a shared secret key │
│ (without ever sending it in the open). │
│ ◄──────────────────────────────────────────► │
│ │
│ 5. From here on, everything is encrypted │
│ with that shared key. │
│ ═══════════ secure tunnel open ═══════════════ │
Walking through it in plain words:
- Client hello. Your browser reaches out and lists the encryption methods (called cipher suites) and TLS versions it understands.
- Server hello + certificate. The server picks a method both sides support and sends back its certificate as proof of identity.
- Verification. Your browser checks the certificate: Is it signed by a CA I trust? Is it for the right domain? Has it expired? If anything fails, you get that scary warning page.
- Key agreement. This is the clever part. The two sides cooperate to establish a shared secret key for this session — using math that lets them agree on a key without ever transmitting the key itself across the network. An eavesdropper watching the whole exchange still can’t derive it.
- Encrypted session. With the shared key in place, all further communication — the actual web pages, your form submissions, everything — flows through the encrypted tunnel.
The beautiful trick in step 4 is why TLS works at all: two strangers who have never met can establish a private key over a completely public channel, in full view of an eavesdropper, and the eavesdropper still ends up locked out.
A small but important nuance: symmetric vs asymmetric
The handshake uses asymmetric cryptography (a public/private key pair, tied to the certificate) to safely agree on a session key. But asymmetric math is slow, so once that shared session key exists, the actual data is encrypted with fast symmetric cryptography (one shared key for both sides). In short: slow-but-clever crypto sets things up, fast crypto does the heavy lifting. You don’t need to manage any of this — TLS handles it — but knowing the two phases exist explains why the handshake is a one-time cost at the start of a connection, not on every request.
Where HTTPS fits in your stack
If you’ve followed how a web server answers requests, here’s the practical picture: TLS sits in front of your application. The encrypted tunnel is established at the connection level, the request is decrypted, and only then does your web server or app see the plain HTTP request and respond to it. On the way back, the response is re-encrypted before it leaves the machine.
This is one reason a reverse proxy is so commonly used: it’s a natural, single place to handle TLS for everything behind it. The proxy does the encryption and decryption (often called TLS termination), and the application servers behind it can speak plain HTTP on a trusted internal network. You set up the certificate once, in one spot, instead of in every service.
Internet Reverse proxy App servers
(HTTPS in) ───TLS───► [ decrypts here ] ──plain HTTP──► [ your app ]
For static sites it’s even simpler — the same web server that serves your files also terminates TLS. Either way, the mental model is the same: encryption wraps the outside of the connection, your app logic lives on the inside.
Getting a certificate (the modern reality)
You might assume certificates are expensive or painful. They used to be. Today, getting a valid TLS certificate for a domain you control is usually free and automated. Non-profit certificate authorities issue certificates at no cost, and tooling can request, install, and automatically renew them for you so you never think about it.
The trade-off: free certificates are typically short-lived (they expire after a few months), which is why automation matters — you set up auto-renewal once and forget it. A certificate that silently expires is one of the most common causes of a sudden “your connection is not private” error on an otherwise healthy site.
Expired certificates take sites down
A certificate has an expiry date, and browsers refuse to trust an expired one — showing visitors a full-screen security warning that scares most of them away. Because expiry is silent until the day it happens, every team that runs an HTTPS site needs automatic renewal plus a calendar reminder or monitoring as a backstop. Treat “the certificate expired” as a real outage, because to your users, it is one.
There are also different types of certificates — covering a single domain, multiple domains, or a wildcard like *.example.com for all subdomains — and different validation levels. For most websites, the basic free, domain-validated certificate is exactly right. The fancier ones exist for specific business needs, not because the encryption itself is any stronger.
Why this matters for everything you build
HTTPS stopped being optional a long time ago. Browsers now mark plain http:// pages as “Not secure” right in the address bar. Search engines favor secure sites. Many modern browser features — from geolocation to service workers — simply refuse to run on an insecure connection. And users have been trained, rightly, to back away from sites without the padlock.
So if you put anything online — a blog, a portfolio, a real application — HTTPS is the baseline, not a bonus. The good news is that thanks to free certificates and automation, doing the right thing here is now easier than doing the wrong thing. There’s no longer a real excuse to ship plain HTTP.
Wrapping up
Here’s the whole picture in one place:
- Plain HTTP sends data as readable text, exposing it to eavesdropping, tampering, and impersonation by anyone along the network path.
- SSL is the old, deprecated name; TLS is the modern protocol that actually secures the web. When people say “SSL,” they almost always mean TLS.
- HTTPS is just HTTP carried inside a TLS-encrypted tunnel — same web requests, now private and tamper-proof.
- TLS provides three guarantees: encryption (privacy), integrity (no tampering), and authentication (proof of who you’re talking to).
- A certificate, signed by a trusted Certificate Authority, proves a server owns its domain — that’s the identity half of HTTPS, and it’s why the padlock alone doesn’t mean a site is “safe,” only that the connection is encrypted.
- The handshake negotiates a shared session key over a public channel without ever sending the key, then switches to fast encryption for the actual data.
- Certificates today are usually free and auto-renewable — and letting one expire is a genuine outage.
Once a request makes it safely through TLS, it lands on something that turns it into a response. A useful next distinction is between the piece that handles the connection and serving — the web server — and the piece that runs your program’s actual logic: a web server versus an application server, and why most real setups use both.