HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is the encrypted version of HTTP, the protocol that underpins the World Wide Web. It uses Transport Layer Security (TLS) to authenticate the server via a digital certificate signed by a trusted Certificate Authority, and to encrypt the communication channel between client and server. The padlock icon in a browser's address bar is the visible surface of a complex trust architecture that depends on the integrity of certificate chains, the security of hash functions, and the operational competence of hundreds of CAs worldwide.

The history of HTTPS is a history of incremental trust repair: SSL was broken, replaced by TLS; MD5 certificates were rejected; SHA-1 certificates were deprecated; certificate pinning was introduced and then abandoned as too brittle. Each fix addressed a vulnerability in the previous architecture, and each fix introduced new complexity. HTTPS is now the default for most web traffic, but the trust architecture it relies on has never been formally verified and has failed catastrophically more than once.