What Does HTTPS Stand For? Why You Should Have https:// in your URL and the Importance of the S.
HTTPS stands for Hypertext Transfer Protocol Secure. The S stands for Secure. It is the encrypted version of HTTP, the protocol your browser uses to communicate with websites. When you see “https://” at the beginning of a URL or a lock icon in your browser’s address bar, it means the connection between your browser and that website’s server is encrypted so that no one else on the network can read or intercept the data being exchanged.
That is the short answer. The longer answer involves how HTTPS encryption actually works, what it protects and what it does not, why the entire web has moved away from HTTP, and why the FBI and FTC have warned that the lock icon alone does not mean a website is trustworthy.
In this article:
- How Does HTTPS Work?
- What Is the Difference Between HTTP and HTTPS?
- Does HTTPS Mean a Website Is Safe?
- Why the Entire Web Moved to HTTPS
- What Happens If You Visit an HTTP Website?
- What HTTPS Does Not Protect Against
- How to Verify Whether a Website Is Safe
- Frequently Asked Questions
- Protect Your Business Online
How Does HTTPS Work?
HTTPS uses a technology called SSL/TLS (Secure Sockets Layer / Transport Layer Security) to encrypt the connection between your browser and a web server. TLS is the modern, more secure successor to SSL, though many people still use “SSL” as a general term for both.
Here is what happens when you visit an HTTPS website:
The handshake. Your browser contacts the web server and requests a secure connection. The server responds by sending its SSL/TLS certificate, which contains the server’s public encryption key and is signed by a certificate authority (a trusted third party like DigiCert, Let’s Encrypt, or Sectigo) that has verified the website owner’s identity.
Certificate verification. Your browser checks the certificate against its list of trusted certificate authorities. If the certificate is valid, not expired, and issued for the domain you are visiting, the browser proceeds. If something is wrong, you see a security warning.
Encryption begins. Your browser and the server use the certificate’s public key to negotiate a shared encryption key. From this point forward, all data traveling between your browser and the server is encrypted. Anyone monitoring the network (a hacker on public WiFi, your internet service provider, a network administrator) sees only scrambled data.
This entire process takes milliseconds. You do not notice it happening, but it is the reason your passwords, credit card numbers, and personal information are not flying across the internet as readable text.
What Is the Difference Between HTTP and HTTPS?
The HTTP vs HTTPS comparison comes down to one thing: encryption. HTTP (Hypertext Transfer Protocol) is the original protocol the web was built on. It works, but it sends everything in plain text. HTTPS adds the encryption layer that makes the connection private and verified.
| Factor | HTTP | HTTPS |
|---|---|---|
| Encryption | None. Data travels as plain text. | All data encrypted via SSL/TLS. |
| Server verification | No identity verification. You cannot confirm you are connected to the real server. | Certificate authority verifies the server’s identity. |
| Data interception risk | Anyone on the network can read your data (passwords, credit cards, searches). | Data is encrypted. Interceptors see only scrambled content. |
| Browser treatment | Modern browsers display “Not Secure” warnings. | Lock icon displayed. No warnings. |
| ISP visibility | Your ISP can see every page you visit, every search you make, and every form you submit. | Your ISP can see that you visited a domain but cannot see the specific pages or data. |
| SEO impact | Google uses HTTPS as a ranking signal. HTTP sites are disadvantaged. | Preferred by search engines. |
| Port | Port 80 | Port 443 |
| Cost | Free | Free (Let’s Encrypt) to hundreds per year for extended validation certificates |
The practical difference: on an HTTP site, anyone sharing your WiFi network, your internet service provider, or any network operator between you and the server can see exactly what you are doing. On an HTTPS site, they cannot.
This is why using a VPN on public WiFi adds another layer of protection. The VPN encrypts your entire connection, not just traffic to HTTPS sites, so even your DNS queries and the domains you visit are hidden from the network.
Does HTTPS Mean a Website Is Safe?
No. This is one of the most dangerous misconceptions on the internet, and both the FBI and the FTC have issued public warnings about it.
The lock icon and “https://” in the address bar mean the connection is encrypted. They do not mean the website itself is legitimate, trustworthy, or free from malware. A phishing site designed to steal your login credentials can have a perfectly valid HTTPS certificate. The encryption works exactly as intended: your stolen password is transmitted securely to the attacker’s server.
The numbers are stark. According to research from PhishLabs, over 74% of reported phishing websites use HTTPS with a valid certificate and lock icon. Free certificate authorities like Let’s Encrypt have made SSL/TLS certificates available to anyone in minutes, including criminals. The barrier that once made HTTPS a meaningful trust signal has been eliminated.
What HTTPS actually guarantees:
- The data between your browser and the server is encrypted in transit
- The server has a certificate issued by a recognized certificate authority
- No one on the network between you and the server can read or modify the data
What HTTPS does NOT guarantee:
- That the website is who it claims to be (a site called “arnazon.com” can have a valid certificate)
- That the website is free from malware or malicious content
- That the website operator is trustworthy or legitimate
- That your data is safe once it reaches the server
This is why you still need to verify that you are on the correct domain, look for misspellings in URLs, and treat unexpected emails with links to HTTPS sites with the same suspicion as any other unsolicited message. Layered cybersecurity services that combine email filtering, endpoint protection, and DNS security catch threats that the lock icon never will. Attackers increasingly use legitimate-looking emails to direct victims to these fraudulent HTTPS sites, a tactic covered in detail in how hackers infiltrate businesses using email.
Why the Entire Web Moved to HTTPS
HTTPS was originally reserved for pages that handled passwords, payment information, and other sensitive data. Login pages and checkout forms used HTTPS while the rest of the site ran on plain HTTP. That changed for several reasons, and today HTTPS is the default for virtually every website.
Google made it a ranking factor. In 2014, Google announced that HTTPS would be used as a ranking signal in search results. Sites using HTTPS get a small but measurable advantage over HTTP sites. In 2018, Chrome started displaying “Not Secure” warnings on all HTTP pages, not just those with forms. That warning alone drove millions of sites to switch.
Privacy beyond payments. On an HTTP connection, your internet service provider can see every page you visit, every search query you enter, every article you read, and every interaction you have with a website. In the United States, ISPs are legally permitted to record this browsing activity and sell it to advertising companies. HTTPS blocks this visibility. Your ISP can see that you visited a specific domain but cannot see the individual pages, searches, or data you exchanged.
ISP tampering. Internet service providers and network operators can inject advertisements, tracking cookies, and modified content into HTTP pages. HTTPS prevents this because the encrypted connection makes any modification detectable. Your browsing experience remains exactly what the website intended.
Browser enforcement. Every major browser now flags HTTP pages with visible security warnings. For businesses, having “Not Secure” displayed next to your URL destroys visitor trust instantly, regardless of whether the page handles sensitive data.
What Happens If You Visit an HTTP Website?
When you connect to a website using plain HTTP, three things happen:
- Your data travels as readable text. Any data you enter, including search queries, form fields, and login credentials, moves across the network without encryption. Anyone positioned between you and the server can read it.
- Your browser does not verify the server’s identity. You cannot confirm you are connected to the real website. On compromised networks, attackers can redirect your connection to a fake version of a legitimate site (a man-in-the-middle attack) and you would have no way to detect it.
- Your ISP and network operator can see everything. Every page you visit, every search you perform, and every piece of data you submit is visible to your internet service provider and anyone else with access to the network infrastructure.
This is especially dangerous on public WiFi networks where you share the network with strangers. An attacker running a packet sniffer on the same WiFi network can capture HTTP traffic in real time.
What HTTPS Does Not Protect Against
HTTPS protects data in transit. It does not protect against threats that operate outside that narrow scope:
Phishing. A phishing site with a valid HTTPS certificate encrypts your credentials as they travel to the attacker. The encryption works perfectly. The problem is the destination, not the transport.
Malware on the server. If a legitimate website has been compromised and is serving malware, HTTPS ensures that malware is delivered to your browser through an encrypted connection. The encryption does not inspect or filter the content.
Tracking by the website itself. HTTPS prevents third parties from seeing your activity, but the website you are visiting can still track everything you do on their pages. Advertising trackers, analytics scripts, and data collection by the site operator are unaffected by HTTPS. For a detailed look at how websites and apps track your activity, see our guide on how to stop your phone from tracking you.
Data breaches at the server. HTTPS protects data while it is moving between your browser and the server. Once the data arrives at the server, its security depends entirely on how the website operator stores and protects it. A retailer with HTTPS can still suffer a data breach if their database is poorly secured.
How to Verify Whether a Website Is Safe
Since the lock icon is no longer a reliable trust signal on its own, here is what to check:
Verify the domain name character by character. Phishing sites use lookalike domains: “arnazon.com” instead of “amazon.com,” “paypa1.com” instead of “paypal.com,” or “secure-bankofamerica.com” instead of “bankofamerica.com.” Read the URL carefully before entering any information.
Check how you arrived at the site. If you clicked a link in an email, text message, or social media post, treat it with suspicion regardless of whether the destination uses HTTPS. Navigate to the site directly by typing the URL yourself or using a saved bookmark.
Look beyond the lock. Click the lock icon in your browser to view the certificate details. Check who issued the certificate and who it was issued to. A certificate issued to “Let’s Encrypt” for a domain pretending to be your bank is a red flag.
Watch for urgency and pressure. Legitimate businesses do not send emails threatening account closure unless you click a link immediately. Urgency is a social engineering tactic, not a customer service practice.
Frequently Asked Questions
No. HTTPS encrypts the connection between your browser and the server, but it does not scan, filter, or block malicious content. A compromised website can deliver malware through a perfectly valid HTTPS connection. You still need endpoint protection software and safe browsing habits.
HTTPS means the connection is encrypted, not that the destination is trustworthy. Over 74% of phishing sites use HTTPS. Always verify the domain name and how you received the link before clicking.
SSL (Secure Sockets Layer) is the encryption technology. HTTPS is the protocol that uses SSL (or its successor, TLS) to create an encrypted connection. SSL/TLS is the engine. HTTPS is the car.
In practice, yes. Google uses HTTPS as a ranking signal, browsers display “Not Secure” warnings on HTTP pages, and user trust is significantly lower for sites without the lock icon. Any business website should be using HTTPS.
HTTPS is not strictly required, but Google has used it as a ranking signal since 2014 and Chrome displays security warnings on HTTP pages. For practical purposes, HTTPS is a requirement for any site that wants to rank well and maintain visitor trust.
HTTPS does not protect against phishing (fake sites can have valid certificates), malware hosted on the server, tracking by the website itself, or data breaches at the server level. It protects data in transit only.
HTTP sends all data as plain text without encryption. Anyone on the network between you and the server can read the data, including passwords, credit card numbers, and personal information. HTTP also does not verify the server’s identity, making man-in-the-middle attacks possible.
Check the domain name carefully for misspellings or lookalike characters. Verify how you arrived at the site (typed directly vs clicked a link). Click the lock icon to inspect the certificate. Look for contact information, a privacy policy, and signs the business is legitimate beyond just having HTTPS.
Protect Your Business Online
Understanding HTTPS is the starting point, but protecting your business requires layered security that goes well beyond checking for a lock icon. Phishing attacks, credential theft, and man-in-the-middle attacks all exploit gaps that HTTPS alone cannot close. A managed IT services partner handles the controls that keep your business protected across every layer.
LeadingIT is a cyber-resilient technology and cybersecurity services provider. With our concierge support model, we provide customized solutions to meet the unique needs of nonprofits, schools, manufacturers, accounting firms, government agencies, and law offices with 25–250 users across the Chicagoland area. Our team of experts solves the unsolvable while helping our clients leverage technology to achieve their business goals, ensuring the highest level of security and reliability. Call us at 815-788-6041 or contact us today.
