What happens when a browser opens an HTTPS URL?

Hypertext Transfer Protocol Secure (HTTPS) means sending Hypertext Transfer Protocol (HTTP) traffic over a connection secured by Transport Layer Security (TLS).

The TLS handshake happens before the browser sends the HTTP request.

Here, URL stands for Uniform Resource Locator—the web address entered in the browser.

Transport Layer Security (TLS) vs Secure Sockets Layer (SSL)

  • Secure Sockets Layer (SSL) was the original protocol used to secure web traffic. Its versions are now outdated and insecure.
  • TLS is the modern, secure successor to SSL.
  • TLS 1.3 is the latest standardized version of TLS.
  • People still say “SSL certificate”, but browsers today use TLS. The certificate itself is more accurately called a TLS certificate.
  • A TLS/SSL certificate contains the domain name, the server’s public key, validity dates, certificate issuer, and the issuer’s digital signature.

In short: SSL is deprecated; TLS is what HTTPS uses today.

Asymmetric vs symmetric cryptography

TLS uses both:

Asymmetric cryptographySymmetric encryption
KeysPublic and private key pairSame shared session key
Used forAuthenticating the server and establishing shared keysEncrypting HTTP requests and responses
PerformanceMore computationally expensiveFast and efficient

The server’s public key can be shared openly through its certificate. The corresponding private key stays secret on the server.

During the handshake, asymmetric cryptography helps the browser authenticate the server and securely establish temporary shared session keys. After the handshake, both sides use those session keys with symmetric encryption for the actual HTTP traffic.

Flow

  1. Connect to the server

    • The browser resolves the domain through the Domain Name System (DNS).
    • It opens a connection to the server.
  2. Start the TLS handshake

    • The browser sends the TLS versions and encryption options it supports.
    • The server selects the options to use.
  3. Verify the server

    • The server sends its TLS certificate.
    • The browser verifies that the certificate:
      • belongs to the requested domain,
      • has not expired,
      • was issued by a trusted Certificate Authority (CA).
    • The server proves that it controls the private key associated with the certificate’s public key.
  4. Create shared session keys

    • The browser and server perform a secure key exchange.
    • Both independently derive the same temporary session keys without sending those keys over the network.
    • These session keys are used with fast symmetric encryption to protect the rest of the connection.
    • The server’s certificate private key proves the server’s identity; it is never shared and is not the key used to encrypt the HTTP traffic.
  5. Send the HTTP request securely

    • The browser now sends the HTTP request.
    • Requests and responses are encrypted using the shared session keys and fast symmetric encryption.

What HTTPS guarantees

  • Authentication: the browser verifies the server’s identity.
  • Confidentiality: others cannot read the traffic.
  • Integrity: changes to the traffic can be detected.

Interview notes

  • Certificates verify control of a domain; they do not prove that the website itself is safe.
  • Modern TLS uses temporary keys, providing forward secrecy: stealing the server’s private key later should not expose old sessions.
  • HTTPS protects data in transit. It does not protect a compromised browser, server, or stored data.
  • TLS may terminate at a Content Delivery Network (CDN) or load balancer, so traffic from that point to the application may require its own encryption.

Interview answer: HTTPS uses TLS, the modern successor to SSL. During the TLS handshake, public-key cryptography authenticates the server and helps establish temporary shared session keys. The browser and server then use faster symmetric encryption to protect the actual HTTP traffic.

Knowledge check — Q&A

Q: What is the difference between HTTPS and HTTP?
HTTPS sends HTTP traffic over a TLS-secured connection.

Q: Do modern browsers use SSL or TLS?
They use TLS. SSL is outdated and insecure, although people still commonly say “SSL certificate.”

Q: What is the latest standardized TLS version?
TLS 1.3.

Q: What does the browser verify in a TLS certificate?
It checks the domain name, validity period, trusted Certificate Authority, and digital signature.

Q: Why does TLS use both asymmetric and symmetric cryptography?
Asymmetric cryptography authenticates the server and helps establish shared keys. Faster symmetric encryption protects the actual HTTP traffic.

Q: Is the server’s private key sent to the browser?
No. It remains secret on the server and is used to prove the server’s identity.

Q: Are session keys sent over the network?
No. The browser and server independently derive the same temporary session keys through the key exchange.

Q: What security properties does HTTPS provide?
Authentication, confidentiality, and integrity for data in transit.

Q: Does HTTPS mean the website itself is safe?
No. HTTPS secures the network connection; it does not protect against a malicious website or a compromised browser or server.