Short answer
HTTPS is simply HTTP sent inside a TLS-encrypted connection. TLS provides three things: confidentiality (nobody can read the traffic), integrity (nobody can alter it in transit) and identity (you are talking to the right server, verified via its certificate). What HTTPS does not do is guarantee that the site is honest, securely built or free of malware.
HTTP + TLS = HTTPS
Plain HTTP sends everything in clear text over port 80 — anyone on the path (a public WiFi, an ISP) can read and alter it. HTTPS puts HTTP on top of a TLS layer on port 443. First the client and server perform a TLS handshake that establishes an encrypted channel; then perfectly ordinary HTTP requests and responses are sent inside that channel. The difference between SSL and TLS — the two names for the protocol — is covered in SSL vs TLS.
The three things HTTPS protects
- Confidentiality: All content — URL paths, cookies, form data, responses — is encrypted. An eavesdropper sees only which domain and IP you connect to, not the content.
- Integrity: TLS detects any change to the data in transit. An ISP cannot inject ads, and an attacker cannot alter the downloaded script.
- Identity: The server's certificate is proven to have been issued to that exact domain by a trusted CA — so you know you are talking to the right server and not a man in the middle.
What is the difference between HTTP and HTTPS in practice?
| Property | HTTP | HTTPS |
|---|---|---|
| Default port | 80 | 443 |
| Encryption | None (clear text) | TLS |
| Tampering in transit | Possible | Detected |
| Server identity | Not verified | Verified via certificate |
What HTTPS does NOT guarantee
This is where it matters — because the padlock is so often misunderstood:
- That the site is honest. A phishing site can have a perfectly valid certificate. The padlock says "the connection to this server is encrypted", not "this server is trustworthy".
- That the server is securely built. HTTPS protects the traffic on the wire, but says nothing about SQL injection, weak passwords or misconfiguration on the server.
- That the content is free of malware. A file can be downloaded securely over HTTPS and still be malicious.
- That your data is safe after it reaches the server. HTTPS protects the transport, not how the server stores your data afterwards.
Always force HTTPS
Offering HTTPS is not enough if HTTP still answers — an attacker can intercept the first unencrypted visit. Redirect everything to HTTPS and signal to the browser that it must never use HTTP again with HSTS:
# nginx — redirect HTTP to HTTPS
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
Then add the HSTS header on the HTTPS server, so the browser remembers to use HTTPS automatically from then on.
How CertControl keeps HTTPS healthy
HTTPS depends on one fragile element: the certificate. If it expires, or the chain is served incorrectly, the whole protection breaks — and the user sees a warning instead of the padlock. CertControl scans your endpoints from the outside, validates the certificate, chain and protocol, checks that HTTP redirects to HTTPS, and warns before any of it fails.
Frequently asked questions
Does the padlock mean the site is safe?
No. The padlock only means the connection to the server is encrypted and the server's certificate is valid. It says nothing about whether the site is honest, securely built or free of malware — a phishing site can easily have a valid certificate.
What is the difference between HTTP and HTTPS?
HTTPS is HTTP sent inside a TLS-encrypted connection. HTTP sends everything in clear text on port 80; HTTPS encrypts it on port 443 and verifies the server's identity via a certificate.
Can an eavesdropper see which pages I visit over HTTPS?
The content — paths, forms, cookies — is encrypted. An eavesdropper can still see which domain and IP you connect to (via DNS and SNI, among others), but not what you do on the site.
Why should I redirect HTTP to HTTPS?
Because otherwise an attacker can intercept the first unencrypted HTTP visit before the browser switches to HTTPS. A 301 redirect plus HSTS ensures the browser always uses HTTPS.
Does HTTPS protect my data after it reaches the server?
No. HTTPS only protects data during transport between client and server. How the server stores and handles your data afterwards is an entirely separate question of server security.