How web requests travel, and why encryption matters.
If you are new here: HTTP is the language browsers and APIs use (GET, POST, headers, bodies). HTTPS is the same language, but the bytes are wrapped in TLS so observers on the network cannot read or tamper with them. The URL http:// is plaintext; https:// is encrypted.
| HTTP | HTTPS | |
|---|---|---|
| Wire | Readable text and bytes | Encrypted records (TLS) |
| Port (convention) | 80 | 443 |
| Trust | None — any proxy can change the body | Server proves identity with a certificate |
You ship a login form. On your laptop everything looks fine — the browser shows a little “Not secure” chip, but the page loads. Then a teammate opens DevTools on café Wi‑Fi and copies the password straight off the wire. Nothing was “hacked” in the database; the transport was simply readable.
HTTP carries bytes in the clear. HTTPS is HTTP inside TLS — same verbs, same headers, but ciphertext on the untrusted path.
In plain terms: HTTPS wraps your HTTP in encryption + identity checks so coffee-shop Wi‑Fi is not a live transcript of passwords and tokens.
Analogy: HTTP is a postcard; HTTPS is a locked envelope with a stamp that proves who sent it (certificate).
What actually crosses the wire (HTTP): Anyone on the path can see something shaped like:
POST /login HTTP/1.1
Host: shop.example.com
Content-Type: application/x-www-form-urlencoded
username=alex&password=SuperSecret123With HTTPS, that same application data is inside TLS records — packet captures show length and timing, not the password.
Anyone who can observe traffic between the user and your origin — a rogue AP, a tapped switch, malware on the LAN — sees the same request your server would have parsed. Forward secrecy and encryption are not paranoia; they are the minimum bar for credentials and tokens.
Practical takeaway: Treat any token, cookie, or API key like a password. If it travels over HTTP, assume it is compromised.
Attackers do not need to break your app to win here. They can read bearer tokens, session cookies, form bodies, and API keys from the network path. They can also modify plaintext responses, injecting JavaScript or changing download links before the browser sees them.
The upgrade begins with a ClientHello: supported TLS versions, cipher suites, and random material. No application data yet — just negotiation so both sides speak a common dialect.
Browsers and curl initiate this automatically when you use https://.
In plain terms: the client starts by saying, “Here are the secure protocols and algorithms I understand.” The server picks a compatible set. This is why old clients can fail against modern TLS settings and why servers disable obsolete versions over time.
The ClientHello may also include SNI, the hostname the client wants. That lets one IP serve different certificates for different domains.
The server answers with its certificate chain so the client can prove the hostname matches before trusting the tunnel. If verification fails, the browser stops — it does not quietly continue.
Inspecting a live chain (read-only):
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -datesYou should see the subject matching the site, an issuer (intermediate CA), and notBefore / notAfter dates.
Certificate validation prevents a nearby network device from pretending to be bank.example.com. The browser checks hostname, expiry, issuer chain, and trust roots before sending sensitive HTTP data into the tunnel.
Modern handshakes use ephemeral key agreement (often ECDHE) so each session gets fresh keys. Bulk encryption uses fast symmetric ciphers; public-key math bootstraps the session, not every packet.
This split matters for performance. The expensive asymmetric work happens during setup; the long stream of HTTP bytes uses efficient symmetric encryption. That is why connection reuse and HTTP/2 can make HTTPS cheap in practice.
It also gives each connection fresh secrets. Compromising one session key should not unlock every past or future session.
After the handshake, TLS records wrap your HTTP. Same GET and JSON — different bytes on the wire. Middleboxes still see packet sizes and timing, but not your secrets.
See TLS + HTTP with curl:
curl -v https://api.example.com/v1/health 2>&1 | head -40Look for * TLSv1.3, * Server certificate:, then > GET /v1/health — the HTTP request happens after the tunnel exists.
Proxies and routers still see metadata: source/destination IPs, port 443, packet sizes, timing, and often the hostname via SNI unless encrypted client hello is used. HTTPS hides contents, not the fact that communication occurred.
An on-path observer still forwards packets, but without session keys the payload stays opaque. That is the practical difference users and auditors care about.
Tiny example: a packet capture of HTTP can show Authorization: Bearer .... A packet capture of HTTPS shows encrypted application data records. The observer may know you contacted api.example.com, but not which endpoint or token you sent.
That opacity is why HTTPS protects both privacy and integrity. Observers cannot read the payload, and they also cannot alter it without detection.
Browsers ship root CAs; intermediate certificates bridge your domain leaf to a trusted root. Renewal, revocation (OCSP / stapling), and short-lived certs are operational work — but they replace “anyone can read the password.”
| Piece | Role |
|---|---|
| Leaf cert | Bound to your hostname(s) |
| Intermediate | Links leaf to a root the OS trusts |
| Root CA | Embedded in OS/browser trust store |
The trust model is operational, not purely mathematical. You must renew certificates before expiry, serve the correct intermediate chain, and monitor certificate transparency logs or managed-provider alerts for surprises.
TLS adds handshake latency (often 1–2 RTTs on first connect; TLS 1.3 and session resumption help) and CPU on the server — usually negligible compared to business logic. Misconfigured or expired certs break sites loudly — which is preferable to silent interception.
| Cost | Mitigation |
|---|---|
| Handshake RTT | HTTP/2, connection reuse, TLS 1.3, edge termination |
| Certificate ops | Managed certs (Let’s Encrypt, cloud/CDN automation), monitoring expiry |
| Debugging | curl -v, browser Security panel, server logs for handshake failures |
If you own an origin on the internet, HTTPS everywhere is table stakes — not only for secrecy but for integrity (proxies cannot silently patch responses). Start with managed certificates from your cloud or CDN, automate renewal, and treat HTTP-only URLs as a bug.
Over plain HTTP the request and response bodies are readable bytes on the wire — fine on a trusted lab network, dangerous on shared Wi‑Fi.