HTTPS, SSL/TLS and certificates
This page needs a recent browser (with SharedArrayBuffer support). Please update Chrome, Edge, Firefox or Safari to the latest version.
The padlock in your browser
- When you see HTTPS and a padlock, your connection to the website is encrypted.
- The "S" stands for Secure. It uses a protocol called TLS (the modern version of SSL).
How the secure connection is set up
- TLS cleverly combines both kinds of encryption you have learned:
- It uses asymmetric encryption to safely agree on a shared secret key.
- Then it switches to fast symmetric encryption for the rest of the conversation.
- This "handshake" happens in a fraction of a second, before any page loads.
How do you know the site is real?
- Encryption is useless if you are talking to an impostor. That is what digital certificates solve.
- A website's certificate is issued by a trusted Certificate Authority (CA) and signed with the CA's key.
- Your browser checks the signature. If it is valid, you know the site is who it claims to be.
Putting it together
- Certificate → proves who the site is. TLS → keeps the conversation secret.
- That tiny padlock means: encrypted, and verified. No padlock on a login page? Walk away.
Covers: IGCSE 5.3 (SSL), A-Level 17.1 (SSL/TLS, digital certificates).