HTTPS, TLS and Certificates
What does the padlock in the browser really promise?
- Explain the role of HTTPS and TLS
- Interpret a browser certificate warning
- Describe what a certificate authority (CA) does
Overview
When you visit a website, your device and the server exchange a lot of information. Without protection, anyone on the same network could read or change it. HTTPS uses the TLS protocol to encrypt the connection and verify the server's identity through certificates issued by trusted Certificate Authorities (CAs).
HTTP vs HTTPS
HTTP is plain text — anyone can read it. HTTPS wraps HTTP inside TLS, an encrypted tunnel. Modern browsers now warn on any plain HTTP page that asks for a password.
Certificates and CAs
A certificate is a digital document that binds a domain name (bank.com) to a public key. Certificate Authorities check the applicant really controls the domain before issuing.
Reading Warnings
A red warning ('Certificate expired', 'Not trusted') means do not proceed — the site's identity cannot be verified. The padlock only means the connection is encrypted, not that the site is honest.
Inspect a Certificate
- Open your school website in a browser.
- Click the padlock and view the certificate.
- Record the issuer, expiry date, and the domain it covers.
- What does the padlock icon guarantee?
Reveal answer
That the connection is encrypted and the certificate was issued to that domain by a trusted CA — not that the site is honest.
- What is the role of a Certificate Authority?
Reveal answer
To verify domain ownership and issue trusted certificates.
- Should you ever bypass a certificate warning on a banking site?
Reveal answer
No — the identity of the server cannot be verified.
Find one HTTPS site and one HTTP site. Note the browser's icon or warning in each case.