Encryption > Glossary > HTTPS

What is HTTPS and how does it keep you safe?

HTTPS protects your connection to websites by encrypting your data, verifying the page you’re visiting, and helping keep sensitive activity secure online. But HTTPS alone does not fully protect your privacy.

Here's what you should know about how HTTPS works, what sets it apart from HTTP, and what its limitations are.

What is HTTPS?HTTP vs. HTTPS How does HTTPS work?How to tell if a website uses HTTPS Is HTTPS secure?How to stay safe

What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP (Hypertext Transfer Protocol), the protocol that powers the World Wide Web (WWW). The World Wide Web, HTTP, HTML, and the URL system were invented by Sir Tim Berners-Lee, who is now a member of the Proton Foundation's advisory board.

This protocol protects the connection between your application (such as browser) and the website (web server) you are trying to reach by encrypting data in transit. Sensitive information such as passwords, payment details, and personal data remain safe from interception this way.

Today, HTTPS is essential to modern internet security and is used not only for websites in your browser, but also by mobile apps and online services to secure communication behind the scenes.

HTTP vs. HTTPS: What's the difference?

The difference between HTTP and HTTPS comes down to security:

With HTTP, the information sent between your device and a website is not encrypted. Your internet service provider (ISP)(nova janela) may be able to see what you do online, including which individual pages you visit and any data you input, such as credit card details when making a payment. That data can also be intercepted by criminal hackers, government agencies, or anyone who cares to look.
With HTTPS, that connection is encrypted, helping protect your activity from third-party interception and reducing the risk of tampering. HTTPS also helps confirm that you are connecting to the legitimate website you intended to visit. However, while HTTPS secures the connection itself, it does not make your browsing fully private. Website owners can still see what you do on their site, and your ISP can still see which websites you visit.

How does HTTPS work?

HTTPS secures the connection between your browser or app and a website using TLS. When you connect to a secure website, your browser and the web server first negotiate how to establish a protected session. As part of this process, the website presents a TLS certificate, a small data file that binds the website’s public cryptographic key to its identity.

These TLS certificates are issued by Certificate Authorities (CAs), which are trusted organizations responsible for validating the identity of the website owner. Using the X.509 Public Key Infrastructure (PKI), your browser checks that the certificate is valid and that you are connecting to the real website rather than an impostor.

Once that identity is verified, the browser and server establish an encrypted session, allowing information to travel securely and without being altered in transit.

How to tell if a website uses HTTPS

All browsers will warn you if the website you're visiting isn't protected by HTTPS.

To check manually if a connection is protected by HTTPS, click or tap inside the address bar (once on Firefox, twice on Chrome) to see the full web address — it should start with https://, not http://.

Is HTTPS secure?

Yes. HTTPS secures the millions of financial transactions, logins, and other sensitive interactions that take place online every day. While no security system is flawless, HTTPS is a core part of how the modern internet stays safe. That said, there are still some limitations:

Certificate risks

Certificate Authorities can be pressured by governments(nova janela) to issue certificates to questionable websites or compromised by attackers issuing fake certificates.

Traffic analysis

Research suggests that, in highly targeted attacks, traffic analysis(nova janela) may reveal which pages a person visits on an HTTPS-protected website.

Software updates

Because HTTPS security depends on the software used by both the client and the server, it is important to keep browsers, apps, and systems up to date.

How to stay safe online beyond HTTPS

HTTPS protects your data in transit, but it does not tell you keep you completely safe on the internet. Here's what else you can do to protect your privacy and security:

Use a password manager

Create a unique password for every account. Reused passwords are one of the biggest real-world risks because one breach can unlock many accounts.

Turn on 2FA everywhere

Enable two-factor authentication (2FA) on all your accounts and prefer an authenticator app or hardware security key over SMS when possible.

Secure your email first

Your email is often the reset key for everything else. Give it a unique password and strong 2FA.

Be skeptical of links and urgency

Most attacks succeed by tricking people into clicking phishing links. Be careful with messages that push you to act fast, log in, download something, or open attachments.

Check the whole website

A phishing website can still use HTTPS. Look closely at the domain name, login flow, spelling, and whether the request makes sense.

Keep software updated

Your browser, phone, operating system, apps, and router all need updates, as many attacks rely on old known flaws.

Limit what you install

Only install apps, browser extensions, and software you truly need. Extra extensions and random downloads increase risk a lot.

Use device security

Keep screen lock on, enable full-disk encryption, and turn on “find my device” features to stay safe in case your laptop or mobile gets stolen.

Watch your privacy settings

Reduce how much personal info you expose publicly. Attackers use public details for scams, impersonation, and password reset clues.

Use safer networks wisely

Public WiFi is safer(nova janela) when websites use HTTPS, but you should avoid sensitive activity on suspicious networks, disable auto-join, and keep sharing features off.

Back up important data

Ransomware, theft, and account lockouts are survivable if you have good backups.

Use a VPN for more privacy

A VPN (virtual private network)(nova janela) hides your IP address(nova janela) and encrypts your traffic, keeping your internet activity safe from ISPs, advertisers, surveillance, and hackers.

Proton and HTTPS

Whenever you sign in to a Proton app, load your inbox, sync your calendar, access files, use account settings, or securely connect to the internet via VPN, HTTPS encrypts the connection between your device and our servers.

But HTTPS only protects data while it is moving. Stronger protections, such as end-to-end encryption and zero-access encryption are needed for truly private content.

Start using Proton encryption today

Frequently asked questions

What does HTTPS mean?: HTTPS in an acronym for Hypertext Transfer Protocol Secure, because its the the secure version of HTTP. It's the encryption protocol that secures the web, ensuring only you and the website or app owner know what you you do on that website or app.
Does HTTPS protect my identity or location?: No. While HTTPS hides the content of your traffic, it doesn't hide metadata such as the website you visit, the IP address of the server, and timing information. For this, you need an additional privacy layer (like a VPN).
Why do I still need a VPN if a site uses HTTPS?: A VPN encrypts all network traffic from your device and routes it through a VPN server you control. This hides your real IP address and prevents anyone (including your ISP) from seeing which sites you visit. It also hides your real IP address from websites you visit. HTTPS secures the connection to each site; a VPN secures the path to those sites.
Is HTTPS enough for online banking or shopping?: HTTPS is basic requirement for any site that handles sensitive data—it protects the transmission of your credentials and payment details. However, you should still use strong, unique passwords (or a password manager such Proton Pass) with two-factor authentication to secure your online accounts.
What is DNS over HTTPS?: DNS over HTTPS (DoH) is a way of looking up website addresses that sends DNS requests through an encrypted HTTPS connection instead of sending them in plain text. This helps prevent other people on the network (such as WiFi operators, internet providers, or attackers) from easily seeing or modifying the domain names you are trying to reach.
DoH can improve privacy and security, but it also shifts trust toward the DoH provider handling those requests and can sometimes interfere with network-level filtering or parental controls.