eastbaycyber

HTTPS: Definition, How It Works, and Where You’ll See It

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

HTTPS (Hypertext Transfer Protocol Secure) is HTTP delivered over TLS (Transport Layer Security) to provide:

HTTPS is the secure version of HTTP: it uses TLS to encrypt web traffic, authenticate servers with certificates, and protect data integrity in transit. If you manage websites, APIs, reverse proxies, or SaaS access, HTTPS is a daily operational dependency—certificate expiry, weak TLS settings, and mixed content can quickly become outages or security incidents.

How HTTPS works

HTTPS isn’t a different application protocol from HTTP; it’s HTTP running inside a secure TLS session. Before any sensitive HTTP data is exchanged, the client and server establish cryptographic keys and agree on secure parameters.

1) Connection setup: TCP (or QUIC) first

Traditionally, HTTPS runs over TCP port 443:

  • Client opens a TCP connection to example.com:443
  • TLS handshake occurs
  • HTTP requests/responses flow inside that encrypted channel (HTTP/1.1 or HTTP/2)

Newer deployments may use HTTP/3, which runs over QUIC (UDP) but still uses TLS 1.3 concepts for encryption and authentication.

2) TLS handshake: agreeing on security

During the TLS handshake, the client and server:

  • Negotiate a TLS version (ideally TLS 1.2 or TLS 1.3; 1.3 is preferred)
  • Choose cipher suites (algorithms for key exchange, encryption, and integrity)
  • Validate the server’s certificate (and optionally the client’s)

At a high level:

  1. ClientHello: client offers supported TLS versions, cipher suites, and extensions like SNI (Server Name Indication) and ALPN (Application-Layer Protocol Negotiation).
  2. ServerHello: server selects parameters and sends its certificate chain (leaf cert + intermediates).
  3. Certificate validation: client verifies: - The certificate is issued for the hostname (CN/SAN match) - It chains to a trusted CA root - It is not expired - It hasn’t been revoked (depending on client behavior and revocation method)
  4. Key agreement: both sides derive symmetric session keys (modern deployments rely on ephemeral key exchange such as ECDHE for forward secrecy).
  5. Handshake completes: encrypted application data can now be exchanged.

3) Encrypted HTTP: protecting data and sessions

After handshake completion:

  • HTTP headers and body are encrypted (including cookies and Authorization headers).
  • Attackers on the network can’t read the content or modify it without detection.
  • Session cookies are far safer from passive interception (though not immune to endpoint compromise, XSS, or misconfiguration).

4) Certificates and trust: why the browser believes the site

Certificates bind a public key to an identity (e.g., a domain name). They’re issued by Certificate Authorities (CAs) under the public Web PKI. Browsers/OSes ship with a trust store of CA roots; if a server presents a valid chain to a trusted root, the site is considered authenticated.

Key operational points:

  • DV/OV/EV: Validation levels affect how identity is verified, not the cryptographic strength of TLS itself.
  • SNI: Lets one IP host many HTTPS sites by indicating the hostname during the handshake.
  • ALPN: Negotiates HTTP/2 (h2) vs HTTP/1.1.

5) Redirects, HSTS, and “HTTPS everywhere”

Many sites enforce HTTPS via:

  • HTTP → HTTPS redirects (301/302 from port 80 to 443)
  • HSTS (HTTP Strict Transport Security), an HTTP response header that tells browsers to always use HTTPS for a domain for a defined period, preventing downgrade attacks.

Where you’ll encounter HTTPS

HTTPS shows up almost anywhere web traffic exists—often invisibly until something breaks. Below are common, practitioner-relevant touchpoints.

Browsing and web applications

  • Logging into SaaS tools (email, HR systems, finance portals)
  • Submitting forms with PII (customer data, addresses, payments)
  • Accessing admin portals (routers, firewalls, NAS, virtualization consoles)

Operational “gotchas”:

  • Browser warnings like NET::ERR_CERT_DATE_INVALID often indicate certificate expiry.
  • “Not secure” labels can appear for mixed content (an HTTPS page loading HTTP assets).

APIs and service-to-service traffic

  • Internal APIs behind a gateway or reverse proxy (Nginx, HAProxy, Envoy, cloud load balancers)
  • Public APIs where clients expect strong TLS settings
  • Webhooks (incoming HTTPS endpoints) where cert trust and TLS versions matter

Security implications:

  • API keys and bearer tokens must be protected in transit; HTTPS is non-negotiable.
  • Misconfigured TLS (weak ciphers, old versions) can violate compliance and increase risk.

Reverse proxies, load balancers, and TLS termination

Many environments terminate TLS at the edge:

  • CDN/WAF terminates TLS and forwards traffic to origin
  • Cloud load balancer terminates TLS and sends HTTP to internal services
  • Reverse proxy terminates TLS and routes to multiple backends

This is convenient, but it creates decisions you must explicitly manage:

  • Is traffic re-encrypted from the edge to the backend (TLS-to-origin), or sent in cleartext on internal networks?
  • Are you doing end-to-end TLS for compliance or threat-model reasons?
  • Are logs and telemetry capturing SNI, cipher suites, and handshake failures for troubleshooting?

Enterprise controls: inspection and “break-and-inspect”

Some organizations deploy TLS interception (proxying HTTPS) for security monitoring:

  • A corporate proxy presents its own certificate to clients (trusted via enterprise root CA)
  • It decrypts and inspects traffic, then re-encrypts it to the destination

This can be legitimate for policy enforcement, but it introduces:

  • Privacy and compliance considerations
  • Compatibility issues with certificate pinning and some applications
  • A critical dependency on protecting the enterprise CA private key

Troubleshooting and incident response

You’ll notice HTTPS when:

  • A certificate expires and causes outages
  • A CA changes intermediate certs and your server chain is incomplete
  • Clients fail due to TLS version mismatch (e.g., legacy clients vs TLS 1.2+ enforcement)
  • An attacker attempts downgrade or MITM—HSTS and proper validation help prevent this

If your troubleshooting is part of a broader security response, it can help to connect HTTPS failures with detection signals like an indicator of compromise (IOC)—see our glossary entry: What is an IOC?

Technical notes: quick checks you can run

Check the certificate and TLS handshake from a terminal

# Show certificate chain and handshake details (SNI matters)
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null

# Extract key certificate fields (validity, SANs, issuer)
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates -ext subjectAltName

Look for:

  • notBefore / notAfter (expiry)
  • subjectAltName includes the hostname you’re using
  • A complete chain (missing intermediates commonly break older clients)

Verify protocol support and common misconfigurations

# Quick validation of HTTPS response and redirects
curl -I https://example.com

# See negotiated protocol and TLS details
curl -vI https://example.com 2>&1 | egrep -i 'SSL connection|ALPN|TLS|subject:|issuer:'

Red flags:

  • Redirect loops between HTTP and HTTPS
  • HSTS missing on sensitive sites (where appropriate)
  • Negotiation falling back to older protocols/ciphers

Common log patterns you’ll see

Server-side (varies by stack), handshake issues may show up as:

  • SSL handshake failed
  • unknown ca
  • certificate verify failed
  • bad key share (often client/server TLS 1.3 parameter mismatch)
  • tlsv1 alert protocol version (client too old, server too strict—or vice versa)

Best practices and practical security add-ons

Keep endpoint protection and credentials aligned with HTTPS

HTTPS protects data in transit, but it can’t help if an endpoint is already compromised or credentials are weak/reused. In small business and IT teams, pairing HTTPS hygiene with a strong password manager is an easy win. If you’re standardizing credential storage and passkeys, consider 1Password: Try 1Password →. You can also review our guide: Best password manager for small business (2026)

Use VPNs carefully (they complement HTTPS, not replace it)

A reputable VPN can reduce exposure on hostile networks (e.g., public Wi‑Fi) and add privacy from local network observers, but it does not replace HTTPS—your browser still relies on TLS certificate validation to authenticate sites. If a VPN is part of your travel or remote-work baseline, options like NordVPN Check NordVPN pricing → or Surfshark Try Proton VPN → are commonly used.

Related terms

HTTP

The underlying web protocol; without TLS, it’s plaintext and easily intercepted/modified on untrusted networks.

SSL

Deprecated secure transport protocols (SSLv2/SSLv3). Modern “SSL certificates” are actually TLS certificates.

X.509 Certificate

The standard format for public key certificates used by TLS on the web.

CA (Certificate Authority)

A trusted entity that issues certificates. Public CAs are trusted by default in browsers; private CAs are used internally.

HSTS

A header that forces browsers to use HTTPS and helps prevent downgrade attacks.

mTLS (Mutual TLS)

Both client and server authenticate with certificates; common in zero trust and service-to-service environments.

OCSP / CRL

Certificate revocation mechanisms (Online Certificate Status Protocol / Certificate Revocation Lists).

SNI

A TLS extension allowing the client to specify the hostname during handshake, enabling multi-site hosting on one IP.

ALPN

Negotiates application protocol (e.g., HTTP/2) during TLS handshake.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.