HTTPS: Locks, Keys, and Staying Safe

Lesson 10 · taught by Pip

In the last lesson, a web page arrived in your browser as plain HTTP — a request and a reply, sent in the open. HTTPS is the same conversation with two extra promises added: your words are scrambled so only the right side can read them, and the other side has to prove it's really who it claims to be. That's the whole meaning of the little padlock in your address bar. 🔦

The locked box analogy

Picture sending a love letter through a busy harbor full of nosy hands. Anyone along the way could read it. So instead, the person you're writing to mails you an open padlock that only their key can open. You put your letter in a box, snap their padlock shut, and send it back. Now it doesn't matter how many hands touch that box on the journey — none of them have the key. Only the right side can open it.

That's HTTPS in spirit. Your browser and the website agree on a secret way to lock things, and from then on everything passing between you is gibberish to anyone watching the wire.

Scrambling is half the job

Locking the box keeps the letter private. But there's a sneakier danger: what if someone hands you their padlock and pretends to be your bank? You'd lock your letter beautifully — and send it straight to a thief.

So HTTPS adds a second promise: proof of identity. When you connect, the website shows your browser a certificate — a kind of sealed ID card. That card is signed by a trusted authority your browser already knows, the way a notary's stamp vouches for a document. Your browser checks the seal before it trusts anyone. If the seal is missing, expired, or doesn't match the address, you get that scary red warning instead of a quiet padlock.

So the padlock really means two things at once: nobody else can read this, and I checked, and this really is the place I meant to reach.

Why this matters for you

Anytime you type a password, a card number, or anything you'd hate a stranger to see, look for https:// and the padlock first. On plain HTTP, that information travels like a postcard — readable by anyone the packets pass through. On HTTPS, it travels in the locked box.

It matters for businesses too. When a shop or a tool — including the branded assistants Portmint builds for businesses — talks to customers, that conversation should ride over HTTPS so the words stay private and the customer knows they're really talking to the right company, not an impostor wearing its name.

Your turn

Click the padlock icon to the left of any web address you're on right now. Most browsers will tell you the connection is secure and let you peek at the certificate — see whose name it vouches for. That name should match the company you think you're visiting.

That's the lock and key. Next, in The Whole Journey of One Click, we'll follow a single click from your finger all the way to the page and back — every step you've learned, in one voyage. 🐙