Glossary · Definition
HTTPS
HTTPS is HTTP wrapped in a TLS-encrypted tunnel. Everything between your browser and the server — URLs, form data, cookies, response bodies — is encrypted in transit so a network observer (cafe Wi-Fi, ISP, anyone in between) can't read it or change it.
Definition
HTTPS is HTTP wrapped in a TLS-encrypted tunnel. Everything between your browser and the server — URLs, form data, cookies, response bodies — is encrypted in transit so a network observer (cafe Wi-Fi, ISP, anyone in between) can't read it or change it.
What it means
HTTP carries every request and response in plain text. Anyone on the same network can read your traffic — passwords, session cookies, the pages you visit. HTTPS sits the same protocol on top of TLS (formerly SSL): the browser and server perform a key exchange, derive a shared symmetric key, then encrypt every byte after that. The certificate proves the server is who it claims to be — issued by a Certificate Authority the browser already trusts. Modern HTTPS uses TLS 1.3, which makes the handshake faster and removes legacy ciphers.
Advertisement
Why it matters
Beyond privacy, HTTPS is the floor for almost every modern web feature: service workers, geolocation, camera/mic, push notifications, HTTP/2, HTTP/3 — all require HTTPS. Browsers mark HTTP pages as 'Not secure' in the address bar and Chrome blocks mixed-content (HTTPS pages loading HTTP assets). Google has used HTTPS as a ranking signal since 2014. Free certificates from Let's Encrypt eliminated the cost barrier — there's no good reason to ship HTTP in 2026.
Frequently asked questions
What's the difference between HTTPS and TLS?
TLS is the encryption protocol. HTTPS is HTTP carried over a TLS connection. SSL is the obsolete predecessor of TLS — the names get used interchangeably but every modern 'SSL' deployment is actually TLS 1.2 or 1.3.
Does HTTPS hide the URL?
It hides the path and query string from network observers, but the domain name leaks via DNS and the TLS handshake's SNI extension. Encrypted Client Hello (ECH) closes the SNI gap once browsers and servers both support it.
Does HTTPS protect against the destination site?
No. It protects traffic in transit. The site you connect to sees your request in cleartext; HTTPS doesn't make that site trustworthy.
Related terms
- DefinitionSSLSSL (Secure Sockets Layer) is the obsolete encryption protocol that became TLS in 1999. The term stuck culturally — 'SSL certificate' actually means a TLS certificate today — but every secure connection on the modern web is TLS, not SSL.
- DefinitionTLSTLS (Transport Layer Security) is the encryption protocol that wraps any TCP connection in an authenticated, encrypted tunnel. It's what makes HTTPS, secure SMTP, and most modern internet traffic private.
- DefinitionDNSDNS (Domain Name System) is the internet's distributed phonebook — it translates human-readable domain names like 'freetoolarena.com' into the IP addresses servers actually use. Every browser request starts with a DNS lookup.