Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Are HTTPS Connections Really Safe?

What does “safe” really mean?


HTTPS is an important part of keeping your data safe, but it's only a part. It's important to understand what it does and doesn't mean.
The Best of Ask Leo!
Question: I’m confused. I keep hearing that HTTPS makes your connection to a website “secure”. What does that mean? Does it mean I can trust the site I land on?

Not necessarily.

“HTTPS”, or secure HTTP, is an important part of keeping you and your data safe online.

But it’s only a part. Understanding what it does and does not do is important.

To begin with, HTTPS does two — and only two — things.

Become a Patron of Ask Leo! and go ad-free!


The HTTPS protocol does exactly two things: it encrypts the data transferred between you and the HTTPS website, and it validates that you are looking at the site you requested. It does not confirm that you requested the site you think you did, and it does not confirm that the site is legitimate. Scammers can use HTTPS.

1: Data encryption

Encryption is simply a way of scrambling the information you exchange with a website so no one else can read it.

Data that you send — say an account name and password you enter in a log-in form — is encrypted and sent to the website, where it is decrypted so it can be used.

Data coming back — perhaps a page showing transactions in your checking account — is encrypted by the website, sent to your browser, and decrypted so it can be displayed.

Encryption matters because only you and the website can understand the data. Anyone in between — say someone who’s monitoring the information going to and from your computer — sees only gibberish. It’s an important way to keep private data out of the hands of hackers and thieves.

2: Site validation

HTTPS validates that the site you are connecting to really is the site you asked for.

The website using HTTPS has information, called a certificate, which can be checked and validated by trusted authorities. If that check fails, your browser will warn you. Perhaps the certificate has expired, or perhaps it doesn’t match the site you think you’re visiting. Both alerts should give you pause.

Most warnings turn out to be benign, but should not be ignored. The most common is when a website’s owner forgets to renew a certificate before it expires.1 The second most common is the use of the wrong certificate for a site — say a certificate for is used on — two different sites requiring two different certificates.2

But if you get a warning, and it’s not clear to you why, or if you’re not certain that it falls into one of those two common situations, don’t proceed. It’s possible that hackers have hijacked some portion of the path between you and the website, attempting to redirect you to their malicious alternative.

Validation is not absolute

This is important: HTTPS does not guarantee that a site is legitimate. It only tells you it’s the site you asked for. And while it does tell you that your data is encrypted and safe on its way to and from the site, it does not tell you what happens to your data after it reaches the site.

Any website owner can easily throw together HTTPS support. In fact, scammers do it all the time. If they fool you into going to a maliciously-crafted URL — say, something like

and you think that you’re going to PayPal, the HTTPS icon will not tell you anything. All HTTPS will do is confirm that you have, indeed, gone to the site you asked for:

Make sure you’ve got the website URL correct, and that they’re a legitimate business and the business you think they are. That’s what phishing scams are all about: getting you to visit sites that look legitimate but aren’t.

A valid HTTPS connection does not help you tell the difference, because scammers can have those too.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio


Footnotes & References

1: Surprisingly easy to do, as it turns out. (Which means, of course, that I’ve done it.)

2: Or what’s called a “wildcard” certificate, as I use here on Ask Leo!, which is a certificate valid for * meaning {anything}

28 comments on “Are HTTPS Connections Really Safe?”

  1. >Encryption is important because only you and the remote site can
    >understand the data. Anyone in between … say someone who’s
    >monitoring the information going to and from your computer … sees only
    >gibberish. It’s an important way to keep your private data out of the
    >hands of hackers and thieves.

    If someone was monitoring my computer, how could https tell my computer what password to use to encrypt and decrypt the data without the person monitoring also getting the password?

  2. Because those passwords are never sent. Using something called public key cryptography, the sender can encrypt something with the public key that can only be decrypted by the private key. The private key is never shared, and is part of what the certification process validates. Obviously it’s more complicated than that, but that’s the basic idea.

  3. when a sniffer is active on the machine where the browser is launched (to visit a site say a bank site), & if the https is being used, the sniffer will not be able to catch the data supplied from the browser -correct?

  4. If the sniffer is actually running on the machine with the browser, then all bets are off. It’s effectively spyware and can see everything.

    However a “sniffer” is typically a different computer “sniffing” the network, and https is the way to be safe.

    • Try wireshark as a sniffer or packet analyzer; If you pull up a browser and the sniffer is on that computer, you can see the IPs which are associated with the browser’s actions.
      Often people use a tunnel or encrypted 3rd party service to protect them from snooping. Actually, this may not really protect them where an organization (read NSA, etc.) sniffs traffic from various POPs along the way. So the metadata may be collected and analyzed depending upon the degree of interest. Much has been automated into software.

  5. thanks Leo my life just got easier can you recomend a survey web sit that pays.???? and when they say spam free is it really spam free???

  6. I have a additional question. I understand that SSL is used to encrypt data as it is sent on a wire. But if I’m using a non-encrypted wireless access point, am I venerable to have my data sniffed between my laptop and my WAP? I understand without wireless encryption the data is sent through the airwaves in plain text.

    Hash: SHA1

    Bob’s example goes to “http” so of course it would NOT be

    That same example, to a server that supports “https” would
    be encrypted.

    What matters is that the URL of the page getting the
    parameters, be it via a POST or a GET be an https URL.


    Version: GnuPG v1.4.7 (MingW32)


  8. Why does Google calendar show a crossed out https in the URL bar (when browsing with Chrome)? What is crossed out https?

    I’ve never seen a crossed-out one. Right click on the padlock for more information.


  9. HTTPS connection keeps popping every move I make on web page. It is becoming a nusicances can you help.

    I don’t understand. “Https connection” isn’t something that pops up. You’d need to provide more details including the full text of any error messages.


  10. Okay – I’ve got to ask. Where do you get these really “cool” pictures such as the multi-colored locked HTTPS in your email. Do you draw them yourself or is there another source? They are very nicely done.
    As are your many helpful articles over the years. You’re my go-to web site when i have a question re a Windows PC. Thx.

  11. Hi Leo, I’ve always thought that providing the domain name comes first, no-one else can use that domain name. Your example of has surprised me, surely MUST be paypal? and anything tacked onto that name, like is merely a link to a sub domain or other section of the paypal website, NOT to a spoof/scam/etc website?
    although I notice two .com’s in the url which I’ve never seen before
    Hope you can tell me where I’ve gone wrong

  12. Hi Leo,
    There are some links from various senders that go to a page with an error message like. Hmm, I can’t seem to find that page, etc, etc. I use Mozilla Foxfire as my browser. Is this a problem with my browser, or something I may have changed in the setup menu? What can I do to be able to go to the links that are provided? Most if not all are links that I want to visit.

    • I’ve never had a problem with a browser not finding a URL. In almost all cases it’s that the link supplied is incorrect. In other words, there’s nothing you can do. It’s like if someone gives you a street address and you end up at an empty lot with a sign saying ‘This is an empty lot’.

  13. Leo, you wrote:

    “Any website owner can easily throw together https support.”

    Leo, if I wanted to start up as a proper “phisherman,” complete with “https//:” support, I wouldn’t even begin to know where to start!

    So I’m afraid I must question this.

    Mind: I can’t actually dismiss it — I don’t have enough information for that — but my “doubt flag” has been raised.

    I’m skeptical: Are certificate authorities really that lax? Is it really that inexpensive to obtain the proper certificate(s)? And, is it really that easy and simple to set up an “https//:” site?

    (All of these would seem to be prerequisites to the careless ease which your use of the phrase, “can easily throw together https support” would seem to imply.)

    Somehow, I doubt it’s quite so simple…

    • I would assume that Leo’s reference to “anyone” means anyone who is familiar with setting up a website, not anyone you come across at Walmart. Certainly any hacker will be very knowledgeable.
      Leo’s article explained this the under the heading of “Validation is not absolute”, saying that “https does not guarantee that a site is legitimate. It only tells you it’s the site you asked for”.
      If you get connected to a phishing site, what https will do for you is to ensure that your personal information is transmitted to the phishing site securely!
      Take a look at this:

    • Actually it has become that easy. Many hosting services, in addition to providing you with a place to host your web site, will offer completely free https certificates without any additional work on your part. It’s all part of the LetsEncrypt initiative from the EFF. The good news is that if a web site enables this your communications with that web site are private. The bad news is that there’s little to no oversight to confirm that the owner is who they claim to be.

  14. I don’t think https websites are particularly safer than http websites. Nowadays, it’s those who take care of those websites who are creeping on to our lives, not only those hackers. So why bother?

    • Without https:, a sniffer can get your internet traffic right from the airwaves. Companies have safeguards against employee misuse of information. Sure, their systems aren’t perfect but nothing is perfect. I’ve been purchasing online since the late 90s and my accounts have been compromised only twice. One time was a credit card purchase, I think at a gas station and the other time was when someone forged checks with my account and routing numbers. It was https: which made my online purchases safer than checks or handing my credit card to someone.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.