Why HTTPS?

Chapter 1
Why HTTPS? HTTP's Problems
What plain HTTP exposes, and the three guarantees HTTPS adds

Before learning how HTTPS works, it's worth being precise about what problem it solves. HTTPS is just HTTP carried over TLS (Transport Layer Security) — the application protocol is unchanged; what changes is that everything travels through an encrypted, authenticated channel instead of as open text. This chapter sets up the threat model the rest of the course answers.

Plain HTTP Travels in the Clear

An HTTP request is plain text sent over TCP. Every device between your computer and the server — your router, your ISP, every network hop, the coffee-shop Wi-Fi access point — handles those bytes, and with plain HTTP they can read every one of them. A login request looks literally like this on the wire:

POST /login HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded username=philip&password=hunter2

There is no encryption, no signature, no proof of who sent it or who received it. Anyone positioned on the path sees the URL, the headers, the cookies, and the body — including that password in the clear. This is the default behaviour of HTTP, and it is the baseline HTTPS exists to fix.

"It's only a small site, who would bother?"
The risk isn't a targeted hacker picking your site — it's automated, passive collection. Open Wi-Fi networks, compromised routers, and ISP-level logging capture traffic in bulk. And it's not only passwords: session cookies sent in the clear can be copied and replayed to hijack a logged-in session without ever needing the password. Plain HTTP exposes everything in the conversation, not just the obviously sensitive fields.

Three Things Can Go Wrong

The weaknesses of plain HTTP fall into three distinct categories. Keeping them separate matters, because HTTPS addresses each one with a different mechanism (which later chapters cover):

ThreatWhat the attacker doesExample
EavesdroppingPassively reads traffic as it passesCapturing a password or cookie on open Wi-Fi
TamperingActively modifies traffic in transitInjecting ads/malware into a page; altering a bank transfer amount
ImpersonationPretends to be the server (or client)A fake "example.com" capturing your credentials

When all three are combined by an attacker sitting between the two parties — reading, modifying, and impersonating at once — it's called a man-in-the-middle (MITM) attack. The MITM is the central adversary the whole TLS design is built to defeat.

The Three Guarantees HTTPS Provides

Each threat is answered by a corresponding guarantee. These three words are the spine of the entire course — every mechanism you'll learn exists to deliver one of them:

\U0001F512
Confidentiality
Traffic is encrypted, so an eavesdropper sees only scrambled bytes — defeats eavesdropping.
\U0001F9FE
Integrity
Each message carries a check that detects any modification in transit — defeats tampering.
\U0001FAAA
Authentication
A certificate proves the server really is who it claims — defeats impersonation.

Notice the mapping is one-to-one: confidentiality ↔ eavesdropping, integrity ↔ tampering, authentication ↔ impersonation. A common beginner mistake is to think "HTTPS = encryption" and stop there — but encryption alone (confidentiality) would still let you have a perfectly private conversation with an impostor. Authentication is what makes the encryption meaningful, by guaranteeing who you've established the private channel with.

HTTPS, TLS, SSL — the terminology
SSL (Secure Sockets Layer) was the original 1990s protocol; it's obsolete and insecure, but the name stuck culturally — people still say "SSL certificate." TLS (Transport Layer Security) is its modern successor (the current versions are TLS 1.2 and 1.3) and what's actually used today. HTTPS is simply "HTTP over TLS." So when someone says SSL, they almost always mean TLS — the course uses the accurate term TLS throughout.

What HTTPS Does and Doesn't Protect

A precise mental model also means knowing the limits. HTTPS protects data in transit between the two endpoints — and only that:

  • Protected: the request/response bodies, headers, cookies, and the specific path & query string — all unreadable and unmodifiable to anyone on the network path.
  • Still visible to the network: the domain name you're connecting to (via DNS and the TLS handshake's SNI field) and the rough size/timing of traffic. Observers know you visited example.com, just not what you did there.
  • Not HTTPS's job at all: security at the endpoints — a hacked server, malware on your machine, a phishing site with its own valid certificate, or a weak password. HTTPS secures the pipe, not what's at either end of it.
A padlock means "private channel," not "trustworthy site"
The browser padlock confirms the connection is encrypted and the certificate is valid for that domain — nothing more. A phishing site at examp1e.com can obtain a perfectly legitimate certificate and show a padlock. HTTPS guarantees you're talking privately to whoever owns that exact domain; it does not guarantee that owner is honest. Don't read the padlock as a safety endorsement of the site's content.

The Cost Is Now Negligible

Historically HTTPS was seen as slow and expensive (CPU cost, paid certificates), which is why plain HTTP lingered. That's no longer true: modern CPUs handle TLS with minimal overhead, TLS 1.3 cut the handshake cost dramatically (Chapter 7), and certificates are now free and automatable via Let's Encrypt (Chapter 9). Today HTTPS is the default expectation — browsers mark plain HTTP pages as "Not Secure," and many web features (HTTP/2, service workers, geolocation) simply refuse to run without it. There's no longer a real argument for plaintext HTTP on the public web.

Hands-On Exercises

Exercise 1

Using curl's verbose mode, compare a plain HTTP request and an HTTPS request to the same kind of endpoint, and identify in the output where TLS is negotiated for the HTTPS one. (Hint: curl -v http://example.com vs curl -v https://example.com.)

📄 View solution
Exercise 2

Open your browser's DevTools Network tab, load any HTTPS site, click a request, and locate (a) the protocol/security info confirming the connection is encrypted and (b) the request headers — noting that you can read them locally even though the network cannot. Then map what you see to the three guarantees.

📄 View solution
Exercise 3

For each of these scenarios, name which of the three guarantees (confidentiality / integrity / authentication) is the one being violated: (a) an ISP injects an ad banner into a web page; (b) someone on your Wi-Fi reads your session cookie; (c) you connect to a rogue access point posing as your bank's site. Write a one-line justification for each.

📄 View solution

Chapter 1 Quick Reference

  • HTTPS = HTTP over TLS — same HTTP, carried through an encrypted & authenticated channel
  • Plain HTTP is plaintext: every hop can read URLs, headers, cookies, and bodies
  • Three threats: eavesdropping (read), tampering (modify), impersonation (pretend to be the server)
  • A man-in-the-middle (MITM) combines all three — the core adversary TLS defeats
  • Three guarantees: confidentiality (encryption), integrity (tamper-detection), authentication (certificates)
  • HTTPS ≠ "encryption only" — without authentication you'd just have a private chat with an impostor
  • SSL is the obsolete ancestor of TLS; "SSL certificate" colloquially means a TLS certificate
  • Protects data in transit, not the endpoints; the padlock means "private," not "trustworthy"
  • Next chapter: the cryptographic building blocks — symmetric vs asymmetric encryption, hashing, MACs