You’ve probably noticed that your browser’s address bar shows a padlock icon when you visit most websites. It indicates that the site you’re on uses HTTPS rather than the older, less secure HTTP protocol. However, there are widespread misconceptions about what exactly HTTPS does for your privacy.
Today, we’ll break down what exactly HTTPS does to shield your activities from snoopers and, just as important, explain which online threats it cannot protect you against.
What is HTTPS?
In the early days of the internet, most web traffic (such as browsing your favorite websites) was sent and received using HTTP (Hypertext Transfer Protocol). HTTP has two key security issues. First, it doesn’t encrypt your connection, so snoopers could intercept and read, or even modify, the content you receive or upload. Second, it doesn’t verify the identity of websites, so you can’t know if you’re using the real website or a fake.
HTTPS (Hypertext Transfer Protocol Secure) was created to address these security issues by encrypting all data sent and received from a specific website. Anyone attempting to spy on your activities on a site using HTTPS will simply be fed scrambled, unreadable data. Furthermore, any website that uses HTTPS requires a certificate from an authority that verifies its identity. This means that, assuming you’ve typed the web address correctly, you can trust that you’ve accessed the genuine version of the site and not a phishing site designed to look like the one you want. HTTPS also warns you of sites with invalid or expired certificates by showing a broken padlock icon in the address bar.
Each website’s owner has to choose to implement HTTPS, and even then, it’s not a perfect solution. If you’d like to take control of your online privacy and ensure all your activities are encrypted, we’d suggest using a Virtual Private Network (VPN).Â
WANT TO TRY THE TOP VPN RISK FREE?
NordVPN is offering a fully-featured risk-free 30-day trial if you sign up at this page. You can use our top-rated VPN with no restrictions for a month. That’s perfect for anyone hoping to drastically improve their online privacy immediately with no risk whatsoever.
There are no hidden terms—just contact support within 30 days if you decide NordVPN isn't right for you and you'll get a full refund. Start your NordVPN trial here.
The basics: HTTP vs HTTPS
HTTP is a common method of communicating with websites. Your computer (or phone) sends a request to a website that contains all the information it needs to display a particular page. This usually includes the URL, the browser you’re using, and whether you’re sending or retrieving data.
One problem with this approach is that anyone monitoring the network can see exactly what’s included in any HTTP request. Your office’s network administrators, for instance, could monitor which websites you visit and see what you post there.
HTTPS attempts to rectify this issue by encrypting the contents of your HTTP traffic with the help of a protocol called Secure Socket Layer, or the newer version, Transport Layer Security (SSL/TLS).
It starts with your device and the website generating and sharing a private key that will be used to decrypt all data sent back and forth for the rest of the current session. This process uses public key infrastructure and asymmetric encryption to allow any two devices on the internet to create a private key together, even if they’ve never communicated before. We won’t go too far into the technical details, but check out our article on public key encryption if you want to learn more.
Once your device and the website have agreed on a key, they can send and receive data to each other in private. All traffic between them is encrypted, sent over the internet, and decrypted on the other end.
What does HTTPS mean for your privacy?
On the face of it, HTTPS is a marked improvement over HTTP. After all, its encryption means that fewer people have access to your browsing history, which can only ever be a good thing. However, it’s far from perfect, as we’ll explain below.
When you boil it all the way down, HTTPS just means that your activities on a particular site are encrypted, with only you and the site owners knowing what you do there. It is not an indication that the site is particularly privacy-conscious or unwilling to share details of your activities with third parties. Facebook, for instance, uses HTTPS despite being one of the most data-hungry platforms in human history.
HTTPS alone is not enough to keep you safe online
HTTPS makes it impossible to read the full contents of your internet connection, but anyone monitoring the network could still see what websites and other domains you visit, when you visit them, and the IP address identifying your device. They include your ISP and wi-fi hotspot operators. HTTPS is not a magic solution to online privacy; just because you see the padlock icon in your URL bar doesn’t mean you’re completely protected.
Don’t assume a site is safe when you see the padlock icon. Research shows that 80 percent of all phishing sites now use HTTPS. The reality is that anyone who creates their own website can add an SSL certificate for a couple of hundred dollars – a drop in the bucket compared to the trillions lost to cybercrime.
While an estimated 95 percent of websites now use this protocol, there are still plenty that don’t. That’s an issue because, as privacy advocates, we want your activities to be hidden at all times. The solution is to take a proactive approach. Use a VPN to encrypt all of your internet traffic, regardless of what sites you visit and which apps you use. As a bonus, you’ll also be able to shield your true IP address and location, helping maintain your anonymity.
These days, most VPNs come with a variety of other privacy tools built in. Some can block ads and trackers automatically, for instance, while others are able to sidestep country-wide censorship. We’d also recommend using a reputable antivirus app to make sure that nobody is monitoring your activities with malware or spyware.
The most important thing you can do to improve your online privacy, however, is to be more mindful about what you do online. No tool in the world can stop you from being targeted if you post your home address on social media, for example. Attackers don’t always have to be monitoring the network, either: a surprising number of breaches result from shoulder surfing (when someone simply watches you log in and makes a note of your credentials).
New to the world of digital privacy? Feeling a little overwhelmed? Don’t worry! We have a comprehensive, beginner-friendly guide to online security in case you’re looking for a good place to get started. We also have a guide to cyber hygiene that includes tips and tricks on how to protect yourself.
What can I do to make sure I’m using HTTPS whenever possible?
HTTPS adoption has come a long way in recent years. Previously, it was considered good practice to use a browser extension like the Electronic Frontier Foundation’s HTTPS Everywhere. Still, most modern browsers (including Google Chrome and Microsoft Edge) automatically redirect to the HTTPS version of a site, making these tools effectively pointless.
Firefox users do have to enable this feature manually, though. To do so, simply open up the settings menu, hit Settings, and select Privacy & Security on the left-hand side. Finally, select Enable HTTPS-Only Mode in all windows.
HTTPS: Frequently Asked Questions
What does my ISP see when I visit a site that uses HTTPS?
HTTPS encrypts your connection to a website, so most of what you do is completely hidden from your service provider. Your ISP can still see which site you visit and when, but not which page. For instance, they could tell you were on www.comparitech.com, but not that you were checking out our VPN or cloud storage pages specifically.
HTTPS also hides the data that you send to a website, such as your login password.
Is HTTPS the same as end to end encryption?
No. End-to-end encryption (E2EE) is a system wherein only you and your intended recipient can read your communications. It’s a popular choice for private messaging platforms because even the service you’re using (Signal, Telegram, etc) can’t see what you’re saying.
In contrast, HTTPS encrypts content between you and a web server. Once the data arrives, it’s decrypted and can be read by anyone with access to the website’s traffic logs.
Still confused? Here’s an analogy that might help. HTTPS is like sending a letter: you can hide the contents from the mailman (your ISP) by putting it in an envelope, but theoretically anyone can open the letter and read it. E2EE is like sending a letter in a secret code that only you and your friend understand; even if it was intercepted, your message would be completely meaningless to anyone except you and your friend.
Does HTTPS mean a website is safe?
Absolutely not. HTTPS ensures your connection to the site is protected from third-party snoopers such as your ISP or public hotspot owners. It also guarantees that you’re connected to the genuine website and not redirected to a fake one. This is more privacy-friendly than simply using HTTP, but you still have no control over the website owner and what they do with your data. There’s no way of telling if that particular site’s owners have malicious intentions.
To truly keep your browsing habits safe, we recommend using a reliable VPN. This not only ensures that all of your requests are encrypted, it also prevents your ISP from seeing which sites you visit and stops sites from identifying you based on your location and IP address.