How HTTPS Works
HTTPS is HTTP running inside a TLS tunnel. Before any web data moves, a TLS handshake does three jobs: the server proves its identity with a certificate, both sides agree secret keys, and every byte after is encrypted and tamper-evident.
The two kinds of encryption, and why both are used
Asymmetric crypto (public/private key pairs) lets strangers establish trust — anyone can encrypt to a public key, only the private key holder can decrypt — but it is slow. Symmetric crypto (one shared key) is fast but needs both sides to have the key already. TLS uses asymmetric once, during the handshake, to agree a symmetric session key that encrypts everything else. (More in Encryption Explained.)
The TLS 1.3 handshake in plain steps
1. ClientHello → supported versions/ciphers + client key share
2. ServerHello ← chosen cipher + server key share
← certificate + proof of private key
3. Both compute the same session keys
4. Finished ⇄ everything after is encryptedTLS 1.3 completes this in one round trip, which is why the padlock costs almost nothing in speed today.
What the certificate actually proves
The certificate binds a domain name to a public key, signed by a Certificate Authority your browser already trusts. The browser checks the signature chain, the name and the expiry. A failing check produces the "connection not private" warning — which is exactly the defence against man-in-the-middle attacks: an attacker can intercept traffic, but cannot present a valid certificate for a domain they don't control.
What HTTPS does and doesn't hide
Encrypted: URLs paths, headers, cookies, form data, page content. Not hidden: the domain you visited (via DNS and the certificate exchange) and traffic volume/timing. That nuance — "HTTPS hides the what, not the where" — is a favourite security interview follow-up. See also HTTP vs HTTPS.
Frequently asked questions
What is the difference between HTTP and HTTPS?
HTTPS is HTTP inside a TLS tunnel: the server is authenticated by certificate and all traffic is encrypted and integrity-protected. Plain HTTP sends everything readable to anyone on the path.
What is a TLS handshake?
The setup exchange at the start of an HTTPS connection: hello messages agree ciphers and key shares, the server presents its certificate, both sides derive the same symmetric session keys, and encrypted data begins — one round trip in TLS 1.3.
Why does HTTPS use both asymmetric and symmetric encryption?
Asymmetric solves the strangers problem (agreeing secrets over an open network) but is slow; symmetric is fast but needs a pre-shared key. TLS uses asymmetric once to agree the symmetric session key that protects the actual traffic.
Can HTTPS be intercepted?
Traffic can be captured but not read or modified undetected. A man-in-the-middle cannot present a valid certificate for the target domain, so browsers warn loudly — unless a victim installs an attacker's root certificate, which is why you never should.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.