How HTTPS Actually Keeps Your Data Safe

When you type your password into a website, it travels across dozens of networks, through underwater cables, past countless routers—and arrives safely. Here's the magic that makes that possible.

The Problem HTTPS Solves

Imagine sending a postcard through the mail. Everyone who handles it—the mailman, the sorting facility, the delivery person—can read what you wrote. That's regular HTTP. Your data travels in plain text, readable by anyone along the way.

HTTPS is like putting that postcard in a locked box. Only you and the recipient have the key. Everyone else sees a locked box passing through.

The Brilliant Trick

Here's the core problem: How do you and a website agree on a secret key to lock your messages, when any eavesdropper can watch your conversation?

It seems impossible. If you send the key openly, the attacker gets it. If you send it encrypted, you need a key to encrypt it—turtles all the way down.

The solution is one of the cleverest ideas in computer science: public-key cryptography.

The Mailbox Analogy

Think of a special mailbox with two keys:

• A public key that only locks the mailbox (anyone can use it)
• A private key that only unlocks the mailbox (only the owner has it)

The website publishes its public key openly. Anyone can use it to lock messages. But only the website's private key can unlock them.

When you connect to a website:

1. The website sends you its public key
2. Your browser generates a random secret
3. Your browser encrypts that secret with the public key
4. The website decrypts it with its private key
5. Now you both have the same secret, and nobody listening could get it

From then on, all your communication uses that shared secret to encrypt everything.

How Do You Know It's Really Them?

Here's a sneaky attack: What if someone pretends to be your bank, sends you their own public key, and reads all your messages? You'd never know.

This is where certificates come in. A certificate is like a digital ID card, signed by a trusted authority (called a Certificate Authority or CA).

When a website sends its public key, it comes with a certificate saying "Yes, this really is bankofamerica.com, verified by DigiCert." Your browser has a built-in list of authorities it trusts. If the signature checks out, you can trust the key is legitimate.

If someone tries to impersonate a site, they can't forge the certificate signature. Your browser shows a scary warning, and you know something's wrong.

What's Actually Encrypted

With HTTPS, everything between your browser and the server is encrypted:

• The URL path (though the domain is visible)
• Form data you submit
• Cookies and session tokens
• The page content sent back
• All headers and metadata

An observer can see that you connected to example.com, but not what pages you visited, what you searched for, or what data you submitted.

What HTTPS Doesn't Protect

HTTPS isn't magic. It protects data in transit, but:

It doesn't guarantee the site is legitimate. A phishing site can have a valid HTTPS certificate. The padlock means "encrypted," not "trustworthy."

It doesn't protect data at rest. Once your password reaches the server, HTTPS's job is done. If the server stores it badly, that's a different problem.

It doesn't hide that you visited. Your ISP knows you connected to example.com, even if they can't see what you did there.

It doesn't protect against compromised endpoints. If your device has malware, it can read data before encryption or after decryption.

The Let's Encrypt Revolution

Until 2015, getting HTTPS required paying for certificates—hundreds of dollars per year. Many websites didn't bother. Login pages were encrypted; everything else wasn't.

Let's Encrypt changed this by offering free, automated certificates. Within years, HTTPS went from "nice to have" to "default everywhere." Browsers now warn users about non-HTTPS sites.

Today, over 80% of web traffic is encrypted. The unencrypted web is dying, and good riddance.

The Takeaway

HTTPS solves a problem that seemed impossible: creating a secure channel when anyone could be listening. Through clever mathematics and a trust hierarchy, it lets you safely send secrets across an untrusted network.

That little padlock represents decades of cryptographic research, a global infrastructure of certificate authorities, and the collective agreement that privacy matters. It's one of the great achievements of internet engineering—invisible when it works, which is almost always.