HTTPS (HTTP Secure) is HTTP layered over TLS/SSL encryption, transforming the web from a plaintext protocol into one that protects confidentiality, integrity, and authenticity of data in transit. Where HTTP sends data naked across the network, HTTPS wraps every byte in cryptographic armor — yet this protection is not automatic. It requires certificates, key exchanges, handshakes, and trust chains working in concert. Understanding HTTPS means understanding how servers prove their identity, how encryption keys are negotiated, and how the entire ecosystem prevents eavesdropping, tampering, and impersonation. A critical reality: HTTPS protects data in transit, but only if certificates are valid, TLS is properly configured, and both endpoints are trustworthy — otherwise, you have encrypted communication with the wrong party. As of 2026, HTTPS underpins HTTP/2 and HTTP/3 (over QUIC), and roughly 98% of US internet traffic is encrypted — yet shrinking certificate lifetimes, post-quantum migration, and misconfiguration continue to be major operational challenges.
What This Cheat Sheet Covers
This topic spans 27 focused tables and 163 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: TLS Protocol Versions
TLS versions define the cryptographic rules governing every secure connection. Older versions contain well-documented vulnerabilities; supporting them creates exploitable downgrade paths. In 2026, only TLS 1.2 and TLS 1.3 are acceptable — TLS 1.3 is the clear preference for all new deployments.
| Version | Example | Description |
|---|---|---|
Preferred by all modern browsers | • Current standard since 2018 — 1-RTT handshake, mandatory forward secrecy, removes legacy ciphers (RC4, SHA-1, RSA key exchange) • supported by ~70% of surveyed websites and all major browsers as of 2025. | |
Still widely deployed | • Released 2008, still considered secure when restricted to ECDHE cipher suites with AEAD • supports older cipher suites including non-PFS options; requires 2-RTT handshake — disable non-PFS suites. | |
Formally deprecated RFC 8996 | • Deprecated March 2021 — no longer secure, vulnerable to BEAST • major cloud platforms (Azure, AWS) ended TLS 1.0/1.1 support 2024; should be disabled everywhere. |