Privacy Decrypted #5: How HTTPS keeps you safe (but not private)

Douglas Crawford

Share this page

HTTPS is the backbone that keeps everyone safe and secure on the internet. However, it does little to prevent you from being tracked online.

When you surf the web, you connect to websites using the Hypertext Transfer Protocol (HTTP), first developed by Sir Tim Berners-Lee (who is now a member(new window) of Proton’s advisory board).

Hypertext Transfer Protocol Secure (HTTPS) is the secure version of HTTP, using the TLS encryption protocol(new window) to secure web connections. It is the cornerstone of all security on the internet, making possible much of what we take for granted being able to do on the internet.

This includes securing all financial transactions, such as making online purchases and managing your bank account online.

It wasn’t long ago that most of the internet was terrifyingly insecure, with most websites using simple HTTP. However, thanks in large part to the not-for-profit Let’s Encrypt(new window) project, which started in 2015 and has now issued free HTTPS certificates to over 265 million websites(new window), use of HTTPS websites is now almost ubiquitous.

HTTPS is most often associated with ensuring that browser connections to websites are secure, and, for simplicity, in this article we shall discuss it in this context. However, HTTPS is also used by mobile apps to secure the connection to their backend servers.

What does HTTPS secure?

HTTPS secures the connection between your browser and a website. If you visit a website using regular (non-secure) HTTP then your ISP can see everything you do on that website — which individual pages you visit and any data you input (such as your credit card details when making a payment).

Because all data transferred between the website and your browser is unencrypted, it can be intercepted and read by criminal hackers, government agencies, or anyone who cares to look. 

If a website uses HTTPS, all of this information is hidden from your ISP. All it can see is that you have visited the website — not what you do on it. And because the connection between your browser and the web server is encrypted, your data is secure against third parties. Thanks to the widespread uptake of HTTPS (see below), it is now usually safe to use public WiFi hotspots without the need for a VPN. 

The website owner, of course, can see what you do on their own website, and (unless you take steps to prevent it, such as using a VPN(new window) to hide your real IP address), will know who you are.

What HTTPS does not hide from outside observers is that you have visited a website (or used an app), when you visited it, how often you visited it, or how long you stayed on that website. In other words, it does not prevent the collection of metadata. 

This is important from a privacy perspective, as it does not take a genius to guess the political affiliation of someone who regularly visits gop.com(new window), the sexual orientation of someone who uses the Grindr app, or that someone who visits maternity websites is likely to be pregnant. This is true regardless of the fact that whoever is watching doesn’t know what the visitor does once on those platforms.

So it can be said that HTTPS keeps you secure online, but it does little to protect your privacy (again, this is something a VPN can help with). 

Learn more about the difference between anonymity, security, and privacy(new window)

How to tell if a website uses HTTPS

All browsers implement a security measure that allows you to check, at a glance, if the website you are visiting secures the connection using HTTPS. Simply look for the closed lock icon in the URL bar. For example:

Chrome desktop showing that a wesite is protected with HTTPS
(new window)
Chrome browser on the desktop showing that a website is secured using HTTPS
Firefox for Android showing that a wesite is protected with HTTPS
(new window)
Firefox browser for Android showing that a website is secured using HTTPS

Browsers will also clearly show when a website is not secured by HTTPS. For example:

Chrome desktop showing that a website is not protected with HTTPS
(new window)
Chrome browser on the desktop showing that a website is not secured using HTTPS
Firefox for Android showing that a website is not protected with HTTPS
(new window)
Firefox browser for Android showing that a website is not secured using HTTPS

How does HTTPS work?

HTTPS secures the connection between a web browser and a web server with TLS encryption. 

The actual encryption algorithms used are negotiated between the web server and the client (browser). Most browsers allow you to click or tap on the lock icon to learn more security details about the encryption algorithms used for the HTTPS connection.

Cgrome for Android showing encryption details
(new window)

Chrome browser for Android

HTTPS uses the X.509 Public Key Infrastructure (PKI) to negotiate a new connection. This is an asymmetric encryption system that uses public key cryptography to secure the key exchange. That is, the web server presents a public key, which is decrypted using a browser’s private key.

To ensure your browser is connecting to the server it thinks it’s connecting to (and thus preventing man-in-the-middle attacks), X.509 uses HTTPS certificates. These are small data files that digitally bind a website’s public cryptographic key to an organization’s identity.

HTTPS certificates are issued by a Certificate Authority (CA), an organization that has (at least in theory) verified that it can be trusted to only issue certificates to valid organizations. Whether a browser accepts the HTTPS certificates issued by a particular organization depends on the browser developers.

As of mid-2020, Mozilla Firefox accepted certificate issues by 52 Certificate Authorities, macOS (and therefore Safari) recognized 60 CAs, and Microsoft Windows (and therefore Edge Chromium) 101 CAs.

Learn more about TLS encryption(new window)

Is HTTPS secure?

Yes. HTTPS secures every one of the millions of financial transactions that occur every minute around the world. If HTTPS weren’t secure, there would be a global meltdown. 

This isn’t to say there are no issues with the standard. CAs can be (and have been(new window)) pressured by governments to issue HTTPS certificates to dubious websites, or can be hacked by criminals to issue fake certificates.

Research has also suggested that in a highly targeted attack, it might be possible to use HTTPS traffic analysis(new window) to uncover the individual web pages a target visits on HTTPS-secured websites. 

Since the encryption used is negotiated between the client and the browser, it’s also important that both of these are running up-to-date software. 

These are issues we may discuss in more detail in a future episode of Privacy Decrypted.  The bottom line, however, is that the world relies on HTTPS to keep us safe online, and it does a very good job at doing this.

It is worth bearing in mind, though, that security is not the same as privacy. If you wish to keep your metadata (which can reveal a huge amount about you) private then you should protect it using a VPN when you surf the web. 

Protect your privacy with Proton
Get a free account

Share this page

Douglas Crawford

Starting with ProPrivacy and now Proton, Douglas has worked for many years as a technology writer. During this time, he has established himself as a thought leader specializing in online privacy. He has been quoted by the BBC News, national newspapers such as The Independent, The Telegraph, and The Daily Mail, and by international technology publications such as Ars Technica, CNET, and LinuxInsider. Douglas was invited by the EFF to help host a livestream session in support of net neutrality. At Proton, Douglas continues to explore his passion for privacy and all things VPN.

Related articles

From having too many inboxes to manage to switching to a new email provider, there are many reasons why you’d want to delete your Gmail account. You might even be concerned that Google is abusing your privacy. Thankfully, you can delete your Gmail a
The first month of 2023 has brought brutal layoffs from Big Tech, a potential ban of TikTok in the US, and another Twitter breach. But the biggest development of this new year has to be the ascent of ChatGPT.  The chatbot can produce remarkably huma
Hackers were able to steal account details from over 200 million Twitter users and posted the database on a hacking forum in early January 2023. These details include users’ email addresses and Twitter handles, allowing people to potentially identify
From your online shopping receipts to financial statements, your emails contain a great deal of sensitive information about your life, interests, and daily schedule. If you’re concerned about your online privacy, it’s therefore vital to keep your inb
At Proton, we’re committed to building privacy-focused products that are convenient to use and improve your productivity. Last year, we released the new mobile apps for Proton Calendar and Proton Drive, letting you manage your schedule and upload imp
Most email services aren’t secure and limit attachment file sizes, but there are ways to send large files securely. If you’ve ever tried attaching multiple images or video files to an email, you’ll know that it doesn’t always work. We explain ways t