How does HTTPS work, and why is the padlock icon important? Link to heading

The small padlock icon in your browser’s address bar isn’t just for decoration. Behind it lies an encryption system that protects your data during transmission. However, you need to know what the icon does and doesn’t mean.

HTTP vs. HTTPS - what’s the difference? Link to heading

HTTP (HyperText Transfer Protocol) is the web’s basic protocol. This is how your browser communicates with the server when you open a page. Every request and response travels across the network as plain text, without encryption. This means that if someone is monitoring the network, for example, on a public Wi-Fi network, they can see exactly what you sent and what you received. Passwords, forms, everything.

HTTPS is the same, but with encryption added. The “S” stands for Secure. The connection is encrypted, so anyone monitoring the network only sees an unreadable stream of data that is useless to them in this form.

How does encryption work? Link to heading

HTTPS uses the SSL/TLS protocol. The connection is established roughly as follows:

  1. The browser connects to the server and requests the certificate
  2. The certificate verifies that the server is indeed who it claims to be - this is signed by a trusted certificate authority (CA)
  3. The browser and the server agree on an encryption key
  4. From this point on, communication is encrypted

The certificate includes the domain name, the issuer, and the validity period. If the certificate has expired, is invalid, or is forged, the browser will warn you.

What does HTTPS protect? Link to heading

  • Transmitted data, such as login credentials, credit card numbers, and messages
  • The content of the visited page from eavesdroppers on the network
  • The integrity of the page - a MITM attacker cannot modify the content

What does HTTPS NOT protect? Link to heading

This is a source of misunderstanding.

It does not mean the site is trustworthy. A phishing site can also use HTTPS. The certificate only verifies that the connection is encrypted, not that the site owner is trustworthy.

It does not hide which site you are visiting. The domain name (e.g., bank.hu) remains visible in DNS queries and the SNI field, although this can be partially mitigated by using DNS-over-HTTPS.

It does not protect data stored on the server. If the server is hacked, HTTPS will not prevent a data breach.

What does the padlock icon actually mean? Link to heading

Indicator Meaning
Padlock The connection is encrypted
Warning Mixed content or invalid certificate
No padlock HTTP connection, no encryption

The padlock therefore means: data transmission is secure. It does not mean that the site itself is secure or trustworthy.

What should you watch out for? Link to heading

  • Never enter sensitive information, such as passwords or credit card numbers on an HTTP page
  • Even with HTTPS, check the domain name - paypa1.com is not the same as paypal.com
  • If your browser reports a certificate error, do not continue visiting the site

Summary Link to heading

HTTPS guarantees the security of data transmission. That’s what the padlock icon means. It does not guarantee the legitimacy of the site’s intentions. Together, the two provide real protection: an encrypted connection to a verified, legitimate domain name.

This article is part of a series aimed at explaining the basics of online security in simple terms.