HTTPS is a secure protocol that encrypts the communication between a web browser and the website it’s visiting. When you visit a website that uses HTTPS, your computer sends an encrypted request to the website. The website then responds with an encrypted message that your computer can’t read. However, some websites still use HTTP instead of HTTPS. If you visit a website that uses HTTP, your computer sends an unencrypted request to the website. The website then responds with an unencrypted message that your computer can’t read. If you’re using a web browser that supports HTTPS, but you’re also using a web browser that doesn’t support HTTPS, then your computer will send both requests in order to make sure you’re getting the best possible experience. However, if you’re not using a web browser that supports HTTPS and you’re browsing through a web browser that does support HTTPS, then your computer will only send the first request in order to make sure you’re getting the best possible experience.


Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

The Question

An anonymous SuperUser reader wants to know if their browsing sessions are completely secure:

An interesting question that certainly has implications for personal privacy. Let’s investigate.

For example, I visit:

https://www.website.com/data/abc.html

Will the ISP know that I accessed */data/abc.html or just know that I visited the IP of www.website.com?

If they know, then why does Wikipedia and Google have HTTPS when someone can just read the internet logs and find out the exact content the user viewed?

The Answer

SuperUser contributor Grawity offers a very concise overview of how the full URL is processed along the way:

In short, everything to the right of the domain name is encrypted by the HTTPS session and remains invisible to your ISP or anyone else peeking in your activities.

The schema https: is, obviously, interpreted by the browser.

The domain name www.website.com is resolved to an IP address using DNS. Your ISP will see the DNS request for this domain, and the response.

The path /data/abc.html is sent in the HTTP request. If you use HTTPS, it will be encrypted along with the rest of the HTTP request and response.

The query string ?this=that, if present in the URL, is sent in the HTTP request – together with the path. So it’s also encrypted.

The fragment #there, if present, is not sent anywhere – it’s interpreted by the browser (sometimes by JavaScript on the returned page).

Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.