What the Padlock in Your Address Bar Protects — HTTPS and Encryption
To the left of your browser’s address bar sits a small padlock icon. Most of the time you don’t notice it, but when a warning like “This site is not secure” pops up, it suddenly demands your attention. In the last post, I said that cookies and tokens are essentially passes, so it’s dangerous if someone intercepts them in transit. What blocks that danger is exactly the HTTPS the padlock points to.
On top of that, news of personal data breaches reaches us every now and then. In this post, I’ll unpack, without any code, what HTTPS protects, how encryption works, and how a service stores your password.
HTTP is a postcard, HTTPS is a sealed letter #
In the last post, I said a browser and a server talk through an agreement called HTTP. But plain HTTP has one weakness: the content it exchanges is exposed as is.
Think of a postcard. Anyone who handles it along the way can read it. A password or card number sent over HTTP is no different — someone along the route has room to peek. On shared paths like a cafe’s public Wi-Fi, the risk is even greater.
HTTPS turns this postcard into a sealed letter. Because the content is sealed with a cipher, even if someone intercepts it in the middle, they can’t tell what it says. The padlock in the address bar marks that “your conversation with this site is sealed,” and the “not secure” warning means you’re exchanging unsealed postcards.
Encryption is an agreed-upon lock and key #
The seal itself is encryption. Encryption scrambles content according to an agreed rule into a string of characters that can’t be read without the right key.
The moment you connect over HTTPS, the browser and server securely share a secret key that only the two of them know. From then on, what they exchange is locked with this key and unlocked only with the same key. So even if someone intercepts the whole conversation, all they hold is meaningless characters. They’ve taken the locked box but never got the key.
The device that vouches for this seal is the certificate. A site holds a certificate issued by a trusted authority, and the browser checks that certificate to verify “whether the place you just connected to really is that site.” A visible padlock means the seal and the identity check happened together.
Passwords are not stored as is #
Even with the communication sealed, how the service stores the arriving information is a separate matter. This is especially true for passwords.
A well-built service does not store your password exactly as you typed it. Instead, it runs the password through a one-way transformation and stores a form that can’t easily be reversed to the original. This process is called hashing. When you log in, the service transforms the password you entered the same way and compares it against the stored value. Reversing the stored hash back into the original password is computationally infeasible.
So even if the database leaks wholesale, the original passwords don’t immediately surface. This is why, when you forget your password, a service can’t tell you the original and only offers a reset. Even the service doesn’t hold the original of your password.
Leaks still happen — that’s why two-factor authentication #
No matter how well you guard them, passwords still leak. It happens when you reuse the same password across many sites, or when you’re tricked into typing it into a fake screen dressed up to look real.
That’s why two-factor authentication came about. It’s often called 2FA. Instead of relying on a password alone, it adds one more layer of confirmation, like a code sent by text or a number shown by an authenticator app. Even if your password is stolen, someone who can’t clear the second gate can’t get in. It’s like putting two locks on the door.
Why this makes work easier for non-developers #
- You read the padlock and warnings accurately. A “not secure” warning signals that the site is exchanging data without a seal, so you can decide not to enter sensitive information there.
- You understand breaches calmly. You can see why a “please reset your password” notice goes out, and why reusing the same password elsewhere is risky.
- You can cooperate with security requests. A demand to turn on two-factor authentication or to enforce HTTPS isn’t red tape — it’s a measure with a clear reason.
Wrapping up #
Today we looked at the HTTPS that the padlock points to. If HTTP is a postcard whose content is exposed, HTTPS is a letter sealed with a cipher, and that seal is encryption. Add hashing, which doesn’t store your password as is, and two-factor authentication, which holds the line even when a password leaks, and your information is protected in several layers.
If it’s still fuzzy that cookies and tokens are passes, read Why You Stay Logged In; if you’re curious about how the attacks targeting this information have evolved, read A History of Computer Viruses and Ransomware.