Skip to main content

What Is HTTPS?

What is HTTPS or secure web protocol?

Video thumbnail image illustrating HTTPS or secure web protocol.

Now let’s look at the secure web protocol, HTTPS. The “S” at the end of HTTPS, of course, stands for “secure.” HTTPS provides for authentication of the website as well as encryption of the communication. Authentication of the website is how you know that you’re actually visiting www.apple.com and not some fake. Initially, HTTPS was used to protect logins and confidential online transactions like online banking and online shopping. These days, though, HTTPS is pretty much the default for everything.

HTTPS is based on a technology called public-key cryptography. To make it work, the website needs a public-private key pair that is certified by a certificate authority. I will not be getting into the workings of public-key cryptography.

Now, let’s redo our example, this time with HTTPS. Step 1 is just as before: We type the address or click on a link.

Before we can move on to step 2, we have to insert a new step that I’m numbering as 1.5. In this step, the browser and web server perform a cryptographic dance, that is, an exchange of messages and some really interesting computation, using the web server’s public-private key pair, in order to authenticate the website and create two new keys that are called session keys — one for the client and one for the server. These session keys are used to encrypt and decrypt the messages.

These cryptographic functions are performed by a protocol that is called Transport Layer Security (TLS), which is the successor to the now-deprecated Secure Sockets Layer (SSL).

Now we can move on to step 2, which works just as before, but now, after the browser writes the request message, before it can send it, it uses its session key to encrypt it. The encrypted message is then sent to the web server. The web server then, after receiving the message, uses its session key to decrypt and then read the message.

Step 3 operates similarly with the response message. After writing the response message, the web server encrypts it using its session key and then sends it back to the browser. The browser, then, after receiving the message, uses its session key to decrypt and then read the message.

Finally, step 4 operates as before — the browser renders the response, and we can see the web page.

Note that the padlock icon indicates a secure connection and authentication of the website.

You may be wondering how the request and response messages find their way to the web server and back. The answer is the Internet Protocol, IP, and that is the subject of the next presentation, What Is an IP Address?

A secure website has become an important signal of trust to internet users. Seeing a lock symbol in the browser address bar offers people using websites a degree of assurance that the website is legitimate and safe.

The internet is based on protocols, including the Hypertext Transfer Protocol (HTTP). An S in the HTTP of a website URL, i.e., HTTPS, denotes that the site uses the secure version of HTTP, i.e., S for Secure. HTTPS (Hypertext Transfer Protocol Secure) was originally used to protect online logins and ensure that online banking and shopping transactions were secure. However, in 2014, Google upped the stakes for HTTPS by using HTTPS as a ranking signal. The effect on the uptake of HTTPS was dramatic, and today over 80% of all websites use HTTPS.

What’s the difference between HTTP and HTTPS?

HTTPS and the related security protocol, SSL (Secure Sockets Layer), were released by Netscape in 1994 to protect the Netscape browser.

HTTPS connections facilitate two critical functions to help establish trust and create secure connections on the internet:

Website authentication: This authenticates a website so that the user knows the site has been checked for legitimacy; e.g., apple.com is the website of the company Apple Inc.
Data encryption: HTTPS websites use the Transport Layer Security (TLS) protocol (the successor of SSL) to encrypt web traffic, protecting sensitive information between a client (e.g., web browser) and web server. For example, if you buy something online and send your credit card data to make the purchase, if the site is HTTPS, that data will be sent in encrypted form, rather than plain text to the web server.

How does HTTPS work?

HTTPS is based on a technology called public key infrastructure (PKI). PKI relies on public key cryptography and a digital signature. A “key pair” is created by the website owner, and the public key is sent to a trusted authority known as a “certificate authority” (CA). This authority signs the public key, which produces a document known as a digital certificate. The website now holds a private key and an SSL certificate, which holds the public key. The public key verifies anything signed by the private key. The digital certificate provides a chain of trust and validation that the website is authentic. HTTPS works alongside a security protocol (SSL/TLS) to encrypt and decrypt communications and sensitive data between the web browser and web server.

The steps in an HTTPS request-response flow

The request-response flow of the HTTPS protocol begins in the same way as HTTP. However, an interim step, step 1.5, is used to differentiate the two flows:

Step 1: Navigation and initiation

The user types a web address into a browser or clicks on a link in an email or other communication. The address contains a Uniform Resource Locator (URL), which contains HTTP to inform the browser to use HTTP to fetch the document representing the URL.

Step 1.5: The cryptographic dance

Step 1.5 involves the browser and web server performing a “cryptographic dance.” This involves the exchange of encrypted messages. The steps require that complex cryptographic functions are performed using the TLS protocol, using the web server’s public-private key pair generated via the certificate authority (CA). This step authenticates the website and creates two new keys (session keys) — one for the client and one for the server. These session keys are used to encrypt and decrypt the messages.

Step 2: Client sends HTTP request message to server

Step 2 is the same as the HTTP step 2 request-response flow. The client, e.g., the browser, constructs a request message that is directed to the web server. The message includes additional information about the request, such as who the requesting entity is. However, unlike HTTP, after writing the request message and before the browser can send the message, the HTTP(S) request must use the session key to encrypt the message.

Step 3: Web server sends the HTTPS response back to the client

Once a request is received, the web server uses its session key to decrypt and read the message. The web server then constructs a response message, which encrypts using the session key before sending it back to the browser.

Step 4: Message rendered by the browser

On receiving the encrypted message, the browser uses its session key to decrypt and then read the message. The final part of this step is the browser rendering the response message and displaying the web page in the browser.

Why is it important to use HTTPS?

Without HTTPS, internet users and data exchanged online between clients (e.g., browsers) and a web server are at risk from the following:

Interception attacks: HTTPS uses the TLS protocol to encrypt communications. Even if attackers intercept the communication, they cannot decrypt and steal the data.

Credential theft: Credential theft is behind 54% of security incidents, according to a report from Ponemon. If a website has HTTPS implemented correctly, any data submitted via that website — for example, login credentials — will be secure, as it is encrypted.

Decreased trust: Websites that signal they are HTTPS have been issued a digital certificate by a trusted CA. The CA performs due diligence checks on the company during the certificate issuance. However, caution should still be used, as according to statistics from the Anti-Phishing Working Group (APWG), 83% of phishing sites use HTTPS.

Frequently Asked Questions (FAQ)

HTTPS is the secure version of the Hypertext Transfer Protocol (HTTP) that fetches resources such as HTML documents. HTTPS facilitates secure messaging between the client (browser) and a web server. HTTPS uses key-pair cryptography along with the Transport Layer Security (TLS) protocol to perform the encryption/decryption of these messages. HTTPS also signals that a website uses this secure protocol and that the website owner has been verified.

HTTP is a web protocol used to deliver a website’s content, allowing it to be displayed in a browser. The Web Protocol, HTTP, is a request-response protocol that defines how web clients communicate with web servers. HTTPS is the secure version of this protocol that utilizes Transport Layer Security (TLS) protocol and key-pair cryptography to secure the exchange of messages between the client (e.g., browser) and a web server.

No, HTTPS does not necessarily mean that a website is safe.

HTTPS (Hypertext Transfer Protocol Secure) is a protocol that encrypts the communication between a web browser and a website, providing a secure connection. It ensures that the data transmitted between the user and the website cannot be intercepted or tampered with by unauthorized parties.

While HTTPS is an important security measure that protects data during transmission, it does not guarantee the overall safety or trustworthiness of a website. A website could still contain malicious content, have vulnerabilities, or engage in fraudulent activities even if it uses HTTPS.

HTTPS stands for "Hypertext Transfer Protocol Secure.” The purpose of the “S” in HTTPS is to indicate that the communication between a web browser and a website is encrypted and secure.

The “S” in HTTPS indicates that the website has an SSL/TLS certificate installed and that the connection is encrypted and secure. This encryption helps protect sensitive information and ensures that the user’s connection with the website is authentic and trustworthy.

Why customers choose Akamai

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away.

How the Internet Really Works Video Series

In a series of short video presentations, Robert Blumofe, Akamai Executive Vice President and Chief Technology Officer, explains how the foundation stones of the World Wide Web work.

What is http or web protocol?

What is https or secure web protocol?

What is DNS?

What is an IP address?

What Is an IP Address?

What are packets?

What Are Packets?

What are ports?

What Are Ports?

To watch this complete video series, please visit and/or register at Learn Akamai.

Explore all Akamai security solutions