ProtonBlog(new window)

Privacy Decrypted #5: How HTTPS keeps you safe (but not private)

Share this page

HTTPS is the backbone that keeps everyone safe and secure on the internet. However, it does little to prevent you from being tracked online.

When you surf the web, you connect to websites using the Hypertext Transfer Protocol (HTTP), first developed by Sir Tim Berners-Lee (who is now a member(new window) of Proton’s advisory board).

Hypertext Transfer Protocol Secure (HTTPS) is the secure version of HTTP, using the TLS encryption protocol(new window) to secure web connections. It is the cornerstone of all security on the internet, making possible much of what we take for granted being able to do on the internet.

This includes securing all financial transactions, such as making online purchases and managing your bank account online.

It wasn’t long ago that most of the internet was terrifyingly insecure, with most websites using simple HTTP. However, thanks in large part to the not-for-profit Let’s Encrypt(new window) project, which started in 2015 and has now issued free HTTPS certificates to over 265 million websites(new window), use of HTTPS websites is now almost ubiquitous.

HTTPS is most often associated with ensuring that browser connections to websites are secure, and, for simplicity, in this article we shall discuss it in this context. However, HTTPS is also used by mobile apps to secure the connection to their backend servers.

What does HTTPS secure?

HTTPS secures the connection between your browser and a website. If you visit a website using regular (non-secure) HTTP then your ISP can see everything you do on that website — which individual pages you visit and any data you input (such as your credit card details when making a payment).

Because all data transferred between the website and your browser is unencrypted, it can be intercepted and read by criminal hackers, government agencies, or anyone who cares to look. 

If a website uses HTTPS, all of this information is hidden from your ISP. All it can see is that you have visited the website — not what you do on it. And because the connection between your browser and the web server is encrypted, your data is secure against third parties. Thanks to the widespread uptake of HTTPS (see below), it is now usually safe to use public WiFi hotspots without the need for a VPN. 

The website owner, of course, can see what you do on their own website, and (unless you take steps to prevent it, such as using a VPN(new window) to hide your real IP address), will know who you are.

What HTTPS does not hide from outside observers is that you have visited a website (or used an app), when you visited it, how often you visited it, or how long you stayed on that website. In other words, it does not prevent the collection of metadata. 

This is important from a privacy perspective, as it does not take a genius to guess the political affiliation of someone who regularly visits gop.com(new window), the sexual orientation of someone who uses the Grindr app, or that someone who visits maternity websites is likely to be pregnant. This is true regardless of the fact that whoever is watching doesn’t know what the visitor does once on those platforms.

So it can be said that HTTPS keeps you secure online, but it does little to protect your privacy (again, this is something a VPN can help with). 

Learn more about the difference between anonymity, security, and privacy(new window)

How to tell if a website uses HTTPS

All browsers implement a security measure that allows you to check, at a glance, if the website you are visiting secures the connection using HTTPS. Simply look for the closed lock icon in the URL bar. For example:

Chrome desktop showing that a wesite is protected with HTTPS(new window)
Chrome browser on the desktop showing that a website is secured using HTTPS
Firefox for Android showing that a wesite is protected with HTTPS(new window)
Firefox browser for Android showing that a website is secured using HTTPS

Browsers will also clearly show when a website is not secured by HTTPS. For example:

Chrome desktop showing that a website is not protected with HTTPS(new window)
Chrome browser on the desktop showing that a website is not secured using HTTPS
Firefox for Android showing that a website is not protected with HTTPS(new window)
Firefox browser for Android showing that a website is not secured using HTTPS

How does HTTPS work?

HTTPS secures the connection between a web browser and a web server with TLS encryption. 

The actual encryption algorithms used are negotiated between the web server and the client (browser). Most browsers allow you to click or tap on the lock icon to learn more security details about the encryption algorithms used for the HTTPS connection.

Chrome browser for Android

HTTPS uses the X.509 Public Key Infrastructure (PKI) to negotiate a new connection. This is an asymmetric encryption system that uses public key cryptography to secure the key exchange. That is, the web server presents a public key, which is decrypted using a browser’s private key.

To ensure your browser is connecting to the server it thinks it’s connecting to (and thus preventing man-in-the-middle attacks), X.509 uses HTTPS certificates. These are small data files that digitally bind a website’s public cryptographic key to an organization’s identity.

HTTPS certificates are issued by a Certificate Authority (CA), an organization that has (at least in theory) verified that it can be trusted to only issue certificates to valid organizations. Whether a browser accepts the HTTPS certificates issued by a particular organization depends on the browser developers.

As of mid-2020, Mozilla Firefox accepted certificate issues by 52 Certificate Authorities, macOS (and therefore Safari) recognized 60 CAs, and Microsoft Windows (and therefore Edge Chromium) 101 CAs.

Learn more about TLS encryption(new window)

Is HTTPS secure?

Yes. HTTPS secures every one of the millions of financial transactions that occur every minute around the world. If HTTPS weren’t secure, there would be a global meltdown. 

This isn’t to say there are no issues with the standard. CAs can be (and have been(new window)) pressured by governments to issue HTTPS certificates to dubious websites, or can be hacked by criminals to issue fake certificates.

Research has also suggested that in a highly targeted attack, it might be possible to use HTTPS traffic analysis(new window) to uncover the individual web pages a target visits on HTTPS-secured websites. 

Since the encryption used is negotiated between the client and the browser, it’s also important that both of these are running up-to-date software. 

These are issues we may discuss in more detail in a future episode of Privacy Decrypted.  The bottom line, however, is that the world relies on HTTPS to keep us safe online, and it does a very good job at doing this.

It is worth bearing in mind, though, that security is not the same as privacy. If you wish to keep your metadata (which can reveal a huge amount about you) private then you should protect it using a VPN when you surf the web. 

Protect your privacy with Proton
Create a free account

Share this page

Douglas Crawford(new window)

Starting with ProPrivacy and now Proton, Douglas has worked for many years as a technology writer. During this time, he has established himself as a thought leader specializing in online privacy. He has been quoted by the BBC News, national newspapers such as The Independent, The Telegraph, and The Daily Mail, and by international technology publications such as Ars Technica, CNET, and LinuxInsider. Douglas was invited by the EFF to help host a livestream session in support of net neutrality. At Proton, Douglas continues to explore his passion for privacy and all things VPN.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail