Why HTTPS Is Non-Negotiable Today
HTTPS is the secure version of HTTP — the protocol that transfers data between your browser and a web server. It wraps HTTP traffic in TLS (Transport Layer Security), the cryptographic protocol that provides confidentiality, integrity, and authentication. Without it, every request and response you send over a network is readable by anyone with access to the traffic — ISPs, Wi-Fi operators, or malicious actors on the same network.
Beyond security, HTTPS is now a practical requirement: browsers flag HTTP sites as "Not Secure," search engines use it as a ranking signal, and many modern browser features (service workers, geolocation, push notifications) are restricted to HTTPS origins.
The TLS Handshake, Step by Step
Before any encrypted data flows, the client (browser) and server perform a TLS handshake to agree on how they'll communicate securely. Here's what happens in plain terms:
- Client Hello — The browser sends the TLS versions it supports, a list of cipher suites (encryption algorithms), and a random number.
- Server Hello — The server picks a TLS version and cipher suite, sends its own random number, and presents its TLS certificate.
- Certificate Verification — The browser checks the certificate against trusted Certificate Authorities (CAs), verifies the domain name matches, and confirms the certificate hasn't expired or been revoked.
- Key Exchange — Using asymmetric cryptography (typically via ECDH), both sides derive a shared session key without ever transmitting it directly over the wire.
- Finished — Both sides confirm the handshake succeeded. All subsequent communication is encrypted with the symmetric session key.
The entire handshake typically takes one additional round trip and adds only milliseconds of latency — a small price for the security it provides.
What a TLS Certificate Actually Contains
A TLS certificate is a digitally signed document that binds a public key to a domain name (and optionally an organization). Key fields include:
- Subject — The domain name(s) the certificate is valid for, including wildcard entries like
*.example.com. - Issuer — The Certificate Authority that signed the certificate.
- Validity period — Not Before and Not After dates. Modern certificates are typically valid for 90 days to 1 year.
- Public key — Used during the key exchange phase of the handshake.
- Signature — The CA's cryptographic signature, which proves authenticity.
Certificate Types Compared
| Type | Validates | Use Case |
|---|---|---|
| DV (Domain Validated) | Domain ownership only | Most websites, blogs, apps |
| OV (Organization Validated) | Domain + organization identity | Business sites |
| EV (Extended Validation) | Full legal entity vetting | Financial institutions, e-commerce |
| Wildcard | Domain + all subdomains | Multi-subdomain deployments |
TLS 1.2 vs. TLS 1.3
TLS 1.3 (finalized in 2018) is the current recommended standard. Compared to TLS 1.2, it offers:
- Faster handshakes — Reduced to 1 round trip (0-RTT resumption is also possible).
- Stronger security — Removed legacy, weak cipher suites and algorithms.
- Forward secrecy by default — Compromising a private key doesn't expose past sessions.
If your server still supports TLS 1.0 or 1.1, disable them — both are deprecated and have known vulnerabilities.
Getting HTTPS for Free
Let's Encrypt is a free, automated Certificate Authority backed by major tech organizations. It issues DV certificates valid for 90 days and provides the ACME protocol for automated renewal. Most modern hosting platforms and server tools (Caddy, Certbot, Traefik) integrate Let's Encrypt natively, making HTTPS a zero-cost default for any project.