HTTPS – Meaning and Function

Data security and encryption are important issues in everything you do online. The HTTPS protocol is used for the secure communication between browser and server. We explain what the abbreviation means and how an HTTPS connection works.

HTTPS stands for HyperText Transfer Protocol Secure. The Secure is the crucial part. Compared to the previous transfer standard HTTP, the data is transferred securely and encrypted with HTTPS.

This encryption applies to all communication between a web browser (client) and a server. The aims of this communication are the correct display of web pages, the secure transfer of form data as well as a range of functions that are important while surfing.

Although HTTPS does not offer one hundred percent protection, the risk of cybercrime and data theft is considerably reduced.

How does HTTPS work?

The secure HTTP protocol HTTPS is based on the two pillars of encryption and authentication:

  1. Data is transmitted between server and client in encrypted form – multi-level and for each request or communication step.
  2. The server must prove with a certificate that it is indeed the server that the client has requested and on which the targeted website is located.

The encryption uses an end-to-end approach: Only the client and server have the key to the plain data. Intermediate stations do not have this key.

The basis is the encryption protocol SSL/TLS. SSL (Secure Sockets Layer) is the basic version, TLS (Transport Layer Security)is its developed version common nowadays.

SSL/TLS interposes itself between the general transfer protocol HTTP and the transfer protocol TCP, which determines the manner of transfer. Or, to put it very simply:


How does HTTPS encrypt the data transfer?

The HTTPS connection is based on a multi-level encryption tactic where you can’t see the lock for the keys. That is exactly the point. The security through an HTTPS port (TCP port 403) is carried out on several levels:

  1. Client and server greet each other: The request from the client to the server is called Client Hello. The answer is called Server Hello.
  2. With the server hello, the responder simultaneously sends its certificate and a public key for the shared session. (Server Key Exchange)
  3. If the client recognises the certificates as valid (validation), it generates a corresponding session key.
  4. The client uses the server’s public key to encrypt its session key. The result is then sent to the server (Client Key Exchange).
  5. The server in turn uses its private key to re-encrypt the key generated by the client and establish a “secret” session channel.

All further requests and responses between server and client are permanently secured, following a similar principle.

How secure is HTTPS?

HTTPS is indispensable for many client-server interactions – online shopping and online banking, for example. However, this does not mean that all web pages are encrypted according to this principle. And just because a server comes up with a certificate and key does not mean that the connection is really secure.

For this, the client (the browser, for example) must be able to reliably check whether the server certificate is (still) valid. This validation takes place via OCSP (Online Certificate Status Protocol) at the responsible certification authority.

However, many browsers lag behind with OCSP. After a while, without a response from the certification authority, the certificate is also accepted unchecked. On the other hand, third parties can also hack into the encryption or find out the key code.

HTTPS, however, makes it difficult for them and the process also much more time-consuming. This at least reduces the likelihood of pages being attacked, wherein the ratio of benefit and effort becomes too great from a hacker’s point of view with HTTPS.


Even if there is no all-round solution for secure data transmission on the Internet, the HTTPS protocol, however, comes very close to it according to today’s standards.

As a result, the “HTTPS” at the beginning of a URL is increasingly becoming an exclusion criterion for whether a user wants to visit a certain website or not. Therefore, website providers need to upgrade this as soon as possible if they want to remain relevant and clickable.

Steve Paine