HTTPS Explained: What Happens When You Visit a Site

Every time you load a site over HTTPS, your browser and the server complete a handshake that sets up an encrypted, authenticated connection — in milliseconds. Here’s the gist of what happens.

What HTTPS gives you

• Encryption — nobody between you and the server can read the traffic.
• Integrity — the data can’t be tampered with in transit.
• Authentication — you’re really talking to the site you think you are.

The handshake, step by step

1. Hello. Your browser tells the server which TLS versions and ciphers it supports.
2. Certificate. The server sends its TLS certificate, which contains its public key and is signed by a Certificate Authority (CA).
3. Verification. Your browser checks the certificate: is it signed by a CA it trusts, is it for this domain, and is it unexpired?
4. Key exchange. Using public-key cryptography, both sides agree on a shared secret without ever sending it in the clear.
5. Encrypted session. From here on, everything is encrypted with fast symmetric keys derived from that secret.

Where certificates come from

A CA verifies that you control a domain, then issues a signed certificate. Browsers ship with a list of trusted CAs, which is why the chain of trust works without you configuring anything. Let’s Encrypt made certificates free and automatic, which is a big reason HTTPS is now nearly universal.

What the padlock does and doesn’t mean

The padlock means the connection is encrypted and the certificate is valid for that domain. It does not mean the site is trustworthy — a phishing site can have a valid certificate too. Always check the actual domain.

The takeaway

HTTPS combines public-key crypto (to safely agree on a secret and verify identity) with symmetric crypto (for speed). You don’t have to manage any of it as a user — but knowing the handshake demystifies that padlock.