The Difference Between HTTP and HTTPS (And Why It Still Matters in 2026)

In 2016, about half the web used HTTPS. In 2026, it's close to 90%. The move happened because browsers started labeling HTTP sites as 'Not Secure' and Let's Encrypt made free certificates available to anyone. The transition was faster than most security improvements in the industry.

What HTTPS Actually Does

HTTPS encrypts the data traveling between your browser and the web server. Without it, anyone with network access can read passwords, form submissions, and page content in plain text. With it, they see gibberish.

It also verifies identity: the certificate tied to HTTPS confirms the server you're connecting to is actually operated by whoever owns the domain. This prevents certain man-in-the-middle attacks.

What HTTPS Doesn't Do

It doesn't make the site trustworthy. It doesn't prevent the site from being a phishing page. It doesn't protect you if the site itself is malicious. And it doesn't prevent the server from storing your data insecurely on their end.

That padlock is a 'the channel is encrypted' indicator, nothing more. Phishing sites have padlocks. Fraudulent stores have padlocks. Malware distribution sites have padlocks. They all got free certificates from Let's Encrypt.

HTTP Strict Transport Security (HSTS)

HSTS is a response header that tells browsers to always use HTTPS for a domain, even if someone types http:// or clicks an old link. It prevents protocol downgrade attacks where someone forces your connection to HTTP. Well-configured secure sites enable this. Check with a tool like SSL Labs to see if a site you care about has it set correctly.

Certificate Transparency

Since 2018, all certificates must be logged in public Certificate Transparency logs. This means you can look up every certificate ever issued for a domain. If someone issued a rogue certificate for your bank's domain, it would appear in the public log. Security teams monitor these logs for unauthorized certificates — crt.sh lets anyone search them.