HTTP is a plain-text, open protocol. A person in the middle (MITM attack) can read all data. HTTPS — HTTP over TLS — encrypts data. TLS (Transport Layer Security) is the updated version of SSL. In the handshake: the server sends a certificate, the browser verifies it, a shared key is generated, and all data is sent encrypted.
SSL certificates: DV (Domain Validated — automatic, Let's Encrypt provides free), OV (Organization Validated — company verified), EV (Extended Validation — highest trust). HSTS (HTTP Strict Transport Security) header forces the browser to always use HTTPS. Certificate Pinning in mobile apps prevents certificate substitution. Getting a free certificate through Let's Encrypt is now standard practice.
Our courses on this topic