Search tools and guides ⌘K
ELI5 · Networking & the web

HTTPS.

A locked box you and the website both hold a key to, agreed out in the open.

Imagine sending a postcard through the mail. Anyone who handles it — the postal workers, your neighbour who grabs the mail — can read every word. Plain HTTP is exactly that postcard: every router between you and the website can see what you send.

HTTPS puts that postcard inside a locked steel box. Before any real data moves, your browser and the website do a quick negotiation and end up sharing a secret key. From then on everything is scrambled with it, so the people carrying the box just see a meaningless lump of metal.

  1. Dear Bank, my password is hunter2.
    Dear Bank,pwd: hunter2 scribble…
    1

    Plain HTTP is a postcard — your password written right out in the open.

  2. hunter2, eh? Noted.
    hunter2
    2

    So everyone who carries it on the way can read every word.

  3. They agreed a secret… how?!
    the site
    3

    HTTPS opens with a handshake: a shared secret agreed in plain sight that no eavesdropper can copy.

  4. Signed and sealed.
    CERTIFICATE
    4

    The site also shows ID — a certificate signed by an authority your browser trusts.

  5. …it’s gibberish.
    #@% x9$ ?!7
    5

    Everything after is sealed with that secret. To anyone in between, it’s a brick.

  6. Read that, Snoop.
    6

    Two promises in one padlock: nobody can read it, and you know who’s on the other end.

A quick handshake in the open, then a private, ID-checked line. (Snoop has a bad day.)

How they agree a secret in public

The magic is a trick called a key exchange. The two sides each pick a private number, mix it with a shared starting value, and swap the mixtures. Each can then combine the other’s mixture with their own private number and land on the exact same final secret.

Anyone eavesdropping sees the mixtures but not the private numbers, and un-mixing them is so hard it is effectively impossible. So two strangers end up with a shared key without ever sending it.

Why the padlock means two things

Encryption alone would let an impostor set up their own locked box and pretend to be your bank. So HTTPS also checks identity: the certificate is signed by a trusted authority, and your browser refuses the connection if it does not check out.

That is why the padlock is shorthand for both promises at once — nobody can read the conversation, and you are really talking to who you think you are.

The real version How HTTPS works →
← All explainers
Related Concepts Related Concepts
Guide TCP — the transport underneath TLS Guide HTTP — the application layer above TLS Guide OAuth 2 — auth built on HTTPS Guide OIDC — identity on top of OAuth Simulator JWT Lifecycle Simulator Guide DNS — hostname resolution before TLS Guide CDN — terminates TLS at the edge
Found this useful?