In HTTPS communication, HTTP data is not sent as-is. It is protected by a mechanism called TLS.
The difference between HTTP and HTTPS is sometimes explained as "whether it is encrypted." However, TLS does more than encryption alone. It also plays important roles in making communication content harder for third parties to read, making tampering during transit easier to detect, and verifying the server you are connecting to.
This article organizes what TLS protects and what it does not protect.
What TLS Is
TLS stands for Transport Layer Security. It is a protocol for protecting communication over networks.
On the Web, it is used to protect communication between a browser and a web server. When you open an HTTPS website in a browser, the HTTP communication content is sent and received in a state protected by TLS.
TLS mainly provides the following three kinds of protection.
Role
Meaning
Explanation
Confidentiality
Makes communication content harder to read
Makes it harder for third parties in transit to understand the data contents
Integrity
Makes tampering with communication content easier to detect
Makes it possible to detect if data is rewritten in transit
Authentication
Verifies the connection destination
Uses a server certificate to check whether the destination has a valid certificate for that domain
In other words, TLS is more accurately understood not only as "a mechanism for encrypting communication," but as a mechanism that combines protection of communication content with verification of the connection destination.
HTTPS Is HTTP Protected by TLS
HTTPS is communication in which HTTP is protected by TLS.
HTTP is the mechanism browsers and web servers use to exchange page content, form data, and similar information. However, HTTP alone does not encrypt communication content. Because of that, there is a risk that third parties on the communication path may read the content or tamper with it in transit.
With HTTPS, HTTP exchanges happen inside TLS. This makes the contents of requests and responses sent and received by HTTP harder to read while they are in transit.
Item
HTTP
HTTPS
Communication content
Sent in plaintext
Protected by TLS
Resistance to eavesdropping
Low
High
Tamper detection
Weak
Easier to detect through TLS
Destination verification
Basically weak
Verified with a server certificate
Main structure
HTTP
HTTP over TLS
HTTPS is not a mechanism that handles different content from HTTP. It is a method for sending HTTP communication protected by TLS.
What TLS Protects
The center of what TLS protects is communication content flowing between the browser and the server.
On the communication path, there may be Wi-Fi routers, providers, organizational network equipment, relay infrastructure on the internet, and similar systems. If TLS is not used, there is a risk that content may be read or tampered with on that communication path.
When TLS is enabled, communication content is encrypted. Because of that, even if a third party in transit obtains the data, it becomes difficult to read the HTTP contents as-is.
Information
Protection by TLS
Explanation
Page body
Protected
HTML and body content returned by the server are harder to read in transit
Form input content
Protected
Login information, inquiry content, and similar data are encrypted
HTTP headers
Protected
HTTP headers such as and User-Agent are sent inside TLS
Cookie values
Protected
Cookie contents are harder to read in transit
URL path and query
Protected
The part corresponding to /search?q=... in example.com/search?q=... is protected as an HTTP request
However, the protection described here is protection against third parties in transit. The destination server must process the request, so it decrypts and reads the communication content.
Server Certificates Verify the Destination
TLS not only encrypts communication content, but also verifies the server you are connecting to.
When you access an HTTPS website, the server presents a server certificate. The browser checks whether that certificate was issued by a trusted certificate authority, whether it has expired, whether it matches the domain name being accessed, and similar points.
This lets the browser check whether the communication partner has a valid certificate for the intended domain.
However, the existence of a server certificate does not guarantee that the site operator is safe or that the information on the site is correct. What the certificate mainly verifies is whether the site has a valid certificate for that domain.
In other words, the HTTPS lock icon indicates that "the communication path is protected by TLS," but it does not guarantee that "the site provides trustworthy content."
The Scope Encrypted by TLS
What TLS encrypts is mainly the contents of HTTP.
For example, the body of a web page, form submission content, Cookie values, HTTP headers, and URL paths and query strings are sent inside TLS.
On the other hand, even when TLS is used, some information needed for communication and information outside the communication itself remains.
Information
Hidden by TLS?
Explanation
Page body
Mostly hidden in transit
Protected by TLS as HTTP response content
Form input content
Mostly hidden in transit
Protected by TLS as the body of an HTTP request
Cookie values
Mostly hidden in transit
Protected by TLS as HTTP headers
URL path and query
Mostly hidden in transit
Protected by TLS as the contents of an HTTP request
Destination IP address
Not hidden
Needed to deliver packets to the communication destination
Source IP address
Not hidden
Visible to servers and relay destinations
Some information during TLS connection, such as SNI
May be visible depending on the environment
In environments where ECH and similar mechanisms are not used, it may become a clue to the destination domain name
DNS queries
Remain as a separate issue
With ordinary DNS, queried domains may be visible
Traffic volume
Not hidden
The amount of data sent and received may be observed
Communication timing
Not hidden
When communication happened may be observed
This difference is important. TLS protects the contents of HTTP, but it does not erase the existence of the communication itself, the traffic volume, the timing, or IP addresses.
Be Careful About TLS Termination
With TLS, you need to be aware of which part of the communication is protected from where to where.
In common explanations, people say that "the connection between the browser and web server is encrypted." However, in actual web services, a CDN, load balancer, reverse proxy, or similar system may be the TLS termination point.
TLS termination is the point where encrypted communication is decrypted.
For example, there are configurations where the path from the browser to the CDN is protected by TLS, and the CDN forwards the request to the origin server over a separate connection. In this case, from the browser's perspective, the TLS connection destination is on the CDN side, and protection beyond that depends on the service-side configuration.
This does not mean TLS is weak. TLS is a mechanism for protecting communication between endpoints, and which systems become the endpoints depends on the system configuration.
TLS Is Not Anonymization Technology
TLS is not anonymization technology.
TLS is technology for protecting communication content from third parties in transit. On the other hand, the communication content reaches the destination server. Because the server must process the request, it may be able to learn the sent data, Cookies, login information, access time, source IP address, and similar information.
When you access an HTTPS website, third parties on the communication path have a harder time reading the page content. However, the destination website itself can process the accessed page, submitted form content, login state, Cookies, and similar information.
Item
Can TLS solve it?
Reason
Eavesdropping in transit
Easier to solve
Communication content is encrypted
Tampering in transit
Easier to solve
There is a mechanism for detecting tampering
Viewing by the destination server
Not solved
The server must process the communication content
Hiding the source IP address
Not solved
The server side may see the source IP
Identification by Cookies
Not solved
Cookies are used by the server side to identify users
Linking to the person through login
Not solved
Actions are linked to the account
Encryption and anonymization have different purposes.
Encryption is technology for making communication content harder for third parties to read. Anonymization is a way of thinking about making it harder to tell who is communicating, where they are connecting, and which actions belong to the same user.
TLS is strong for the former, but it does not achieve the latter by itself.
Why Understanding TLS Matters
Understanding TLS helps you evaluate HTTPS accurately without overestimating its safety.
HTTPS is very important as a countermeasure against eavesdropping and tampering on the communication path. For login, payment, sending personal information, access to admin screens, and similar situations, HTTPS is a prerequisite.
On the other hand, even with HTTPS, information reaches the destination server. Server logs, source IP addresses, Cookies, account information, browser information, and similar items remain as issues separate from TLS.
For that reason, when understanding TLS, you need to separate the following points.
Perspective
Main purpose
Relationship to TLS
Encryption
Makes communication content harder for third parties to read
Central role of TLS
Integrity
Detects tampering during communication
Important role of TLS
Destination authentication
Checks whether the server has a valid certificate
Important role of TLS
Anonymization
Makes users and connection relationships harder to understand
Cannot be achieved with TLS alone
Tracking prevention
Reduces identification by Cookies and accounts
Requires countermeasures separate from TLS
TLS is a basic technology that supports communication safety. However, it does not solve every privacy or anonymity issue.
Summary
TLS is the central mechanism for communication protection used by HTTPS.
TLS encrypts communication content between the browser and server, making it harder for third parties in transit to read the content. It also makes tampering during transit easier to detect, and verifies the destination through server certificates.
On the other hand, TLS is not anonymization technology. Communication content reaches the destination server, and issues such as source IP addresses, server logs, Cookies, and account information remain separately.
To understand TLS correctly, you need to separate "communication content is encrypted" from "who is accessing where is hidden."
HTTPS is important for making communication safer, but it does not automatically achieve anonymity or tracking prevention.
Related articles
Network
What Is TLS?
Learn what TLS protects in HTTPS, including confidentiality, integrity, and authentication, and why TLS is not anonymization.