https://www.youtube.com/watch?v=e6-icqzZnhA
You type your password into a website. You hit enter. And that password flies across the internet — through your WiFi router, through your ISP, through dozens of networks you've never heard of — before it reaches the server. Without HTTPS, every one of those hops can read it. Plain text. Like a postcard anyone can flip over.
HTTPS fixes this. But it's more clever than most people realize, and more limited than most people assume.
The Handshake Nobody Sees
Before a single byte of your data moves, your browser and the server perform a choreographed handshake. In TLS 1.3, it takes just one round trip.
Your browser sends a ClientHello: the encryption methods it supports, a random number, and a key share. The server responds with a ServerHello: its chosen cipher, its own random number, key share, and a certificate proving its identity.
Here's the clever part. Both sides sent public key shares based on Diffie-Hellman. Each side has a private number they never transmit. But by combining their private number with the other side's public share, they both compute the same shared secret — without ever sending that secret across the wire.
An eavesdropper sees the public pieces but can't derive the secret from them. One round trip, and both sides have an encryption key.
Who Vouches For Whom
The server's certificate isn't self-signed. It's part of a chain of trust.
A root Certificate Authority (CA) signs an intermediate CA's certificate. The intermediate CA signs the website's certificate. Your browser walks the chain upward: does the intermediate verify the website cert? Does a trusted root verify the intermediate?
Your operating system ships with about 150 root CAs baked in — DigiCert, Let's Encrypt, Google Trust Services, and others. Every HTTPS connection on the planet traces back to this small set of anchors.
Why Both Asymmetric AND Symmetric
Asymmetric encryption (RSA, Diffie-Hellman) is mathematically elegant but slow — roughly 1,000x slower than symmetric encryption. Symmetric encryption (AES) is blazing fast — modern CPUs have dedicated hardware instructions for it — but both sides need the same key. You can't just send a key over an unencrypted channel.
HTTPS uses both. Asymmetric math establishes the shared secret. Symmetric AES encrypts the actual data. It's a relay race: asymmetric runs the first hundred meters, then hands the baton to symmetric for the marathon.
The session keys are unique to each connection. Even if someone records your encrypted traffic and later steals the server's private key, they still can't decrypt the recorded session. That's called forward secrecy.
What the Padlock Actually Means
The padlock icon means your connection is encrypted. That's it.
It does not mean the website is safe. A phishing site can have HTTPS. A malware distribution site can have HTTPS. Getting a certificate is free and takes about thirty seconds with Let's Encrypt. Certificate authorities verify domain ownership, not trustworthiness.
A site called my-bank-login-secure.com can display the padlock and look perfectly legitimate. The connection is encrypted — nobody can eavesdrop. But the person on the other end might be a thief.
HTTPS protects the channel, not the destination. It's a locked mailbox, not a trustworthy post office.
The Limits
HTTPS doesn't hide which server you're connecting to — the domain name is visible during the handshake (though TLS 1.3 encrypts more of it). It doesn't prevent the server from logging your data. And it doesn't protect against vulnerabilities in the website's code.
HTTPS is essential. The internet would be unusable without it. But it's one layer of security. Not the only layer.
Watch the full animated breakdown: Hackers Read Your Password Without HTTPS
Neural Download — visual mental models for the systems you use but don't fully understand.
Top comments (0)