Why HTTPS Is Secure: Encryption, Certificates, and Handshake Explained

HTTPS is a frequently discussed topic in interviews, yet many answer "because it encrypts" without explaining why encryption makes it secure.

First, HTTP transmits data in clear text, which allows anyone on the same network (e.g., a public Wi‑Fi hotspot) to capture usernames, passwords, and even modify server responses, leading to privacy leaks, ad injection, or phishing redirects.

To illustrate the risk, the author sets up a hotspot, captures traffic with Wireshark while a phone logs into an HTTP login page, and shows that credentials travel in plain text and can be intercepted or altered.

Next, the article introduces encryption categories: irreversible (e.g., MD5, SHA, HMAC) used mainly for password storage, symmetric (e.g., AES, DES, 3DES, IDEA, RC4/5/6) where the same key encrypts and decrypts, and asymmetric (public‑private key pairs such as RSA, DSA, ECC) used for secure key exchange and digital signatures.

It then evaluates each method for securing HTTP: irreversible hashing cannot protect data in transit; pure symmetric encryption suffers from the key‑distribution problem; pure asymmetric encryption is too slow for large payloads. The practical solution combines both: the server’s public key encrypts a freshly generated symmetric session key, which is then used for fast symmetric encryption of the actual data.

The remaining challenge is ensuring the client receives the genuine server public key. This is solved by digital certificates issued by trusted Certificate Authorities (CAs). A certificate contains the domain name, holder, validity period, issuing CA, server public key, and the hash algorithm used for the signature.

Certificates are signed by the CA’s private key; the client verifies the signature with the CA’s public key (pre‑installed in browsers). If the signature matches, the public key is trusted; otherwise, the browser warns the user.

Finally, the article summarizes that HTTPS’s security relies on the integrity of the certificate, the confidentiality of the exchanged symmetric key, and the efficiency of combined asymmetric‑symmetric encryption, making intercepted traffic unreadable and tamper‑proof.