How HTTPS protects data in transit and when it does not

HTTPS and TLS

HTTPS encrypts traffic between the browser and your server using TLS. It prevents eavesdropping and tampering in transit. It does not protect against server-side vulnerabilities, weak passwords, or compromised certificates.

What TLS Actually Provides

Confidentiality: Traffic is encrypted. An attacker on the same Wi-Fi cannot read the payload.

Integrity: TLS uses message authentication codes (MAC). Any tampering breaks the connection.

Authentication: The certificate proves the server is who it claims to be—if the certificate chain validates to a trusted root CA.

Common HTTPS Pitfalls

Mixed content: Loading HTTP resources on an HTTPS page leaks data and triggers browser warnings. Always use protocol-relative or HTTPS-absolute URLs.

SSL stripping: An attacker on the network downgrades your connection to HTTP before the browser sends the first request. HSTS (from lesson 1.2) prevents this by telling the browser to always use HTTPS.

Expired or self-signed certificates: Users clicking through certificate warnings destroys the authentication guarantee. Use Let's Encrypt for free, auto-renewing certificates.

Getting a Free Certificate

# Install Certbot and get a certificate for nginx
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com

# Certbot adds auto-renewal via systemd timer
sudo certbot renew --dry-run

After setup, test with SSL Labs to verify your TLS configuration scores an A.