The Green Lock: Understanding HTTPS, SSL, and the Revolution of Let's Encrypt

Prompted on December 14, 2025 with Gemini 3 in #webdev

Browsing the web without HTTPS is like sending your private data on a postcard—anyone can read it. This guide demystifies the 'Green Lock,' explaining the crucial difference between HTTP and HTTPS, how SSL encryption protects your users, and how Let's Encrypt revolutionized the industry by making web security free and accessible for everyone.

This post is AI Generated!

The following content wasn't written by human, but instead it was "created" by an LLM (Large Language Model). Those AIs have "read" all the knowledge available on the Internet. However, their output is based on random chance and can be misleading, false, wrong, erroneous, and simply incorrect, all at the same time.

Why post this at all? Just give me the prompt! Here:

Write an article on HTTPS, SSL, let's encrypt, price of getting certificates, who issues them, why, what does ssl accomplish, what is the difference between https and http

The generated posts usually go through suggestions, feedback, iterations. This makes for a long AI chat session, that is full of repetitions, hot garbage, and hallucinations. I go through that and post the final output, that is hopefully better than the first output.

In the early days of the internet, browsing was akin to sending a postcard through the mail. Anyone handling that postcard along the way—from the mailman to the sorting center—could read the message written on the back.

Today, we send credit card numbers, medical records, and private passwords across the web. The "postcard" method (HTTP) is no longer acceptable. Enter HTTPS and SSL—the technologies that turn that postcard into a locked, armored briefcase.

Here is a comprehensive guide to how web security works, who provides it, and what it costs.

1. HTTP vs. HTTPS: What’s the Difference?

To understand the solution, you must understand the problem.

HTTP (Hypertext Transfer Protocol): This is the basic language computers use to talk to servers. In standard HTTP, data is sent in "plaintext." If you type a password into an HTTP website and a hacker intercepts the data stream, they can read that password clearly.
HTTPS (Hypertext Transfer Protocol Secure): The "S" stands for Secure. It functions exactly like HTTP, but with a layer of encryption wrapped around it. If a hacker intercepts this data, they will see a jumbled mess of random characters that is mathematically impossible to decipher without the correct key.

The Visual Difference:

HTTP: Browsers now flag these sites with a "Not Secure" warning.
HTTPS: Displays a padlock icon in the URL bar (often called "the green lock").

2. What are SSL and TLS?

You often hear "SSL" and "HTTPS" used interchangeably, but they are different things.

HTTPS is the protocol (the road the data travels on).
SSL (Secure Sockets Layer) is the technology used to encrypt that road.

Technical Note: SSL is actually the old name. The modern standard is called TLS (Transport Layer Security). However, the industry still colloquially refers to certificates as "SSL Certificates" even though they are actually using TLS protocols.

3. What Does SSL Accomplish?

An SSL certificate provides three essential functions, often referred to as the "CIA" of security:

Confidentiality (Encryption): It scrambles data so that only the user and the server can read it.
Integrity: It ensures that the data has not been modified or corrupted during transfer. It prevents a "Man-in-the-Middle" attacker from inserting malware or ads into the website you are viewing.
Authentication: It proves the website is who it claims to be. When you visit Amazon, the SSL certificate guarantees you are actually on Amazon's servers, not a fake phishing site.

Bonus: SEO Ranking. Google officially treats HTTPS as a ranking signal. If your site is not secure, it will likely rank lower in search results than a competitor who is secure.

4. Who Issues Certificates? (The CAs)

You cannot issue your own SSL certificate (well, you can, but browsers will reject it as untrusted). You need a Certificate Authority (CA).

A CA is a trusted third-party organization that acts like a digital notary public. Their job is to verify the identity of the website owner and issue a digital certificate. Browsers (Chrome, Firefox, Safari) come pre-installed with a list of CAs they trust.

Major Commercial CAs include:

DigiCert
Sectigo (formerly Comodo)
GeoTrust
GlobalSign

5. The Revolution: Let’s Encrypt

Historically, getting an SSL certificate was tedious, paper-heavy, and expensive. This changed in 2016 with the widespread adoption of Let's Encrypt.

Let’s Encrypt is a non-profit Certificate Authority run by the Internet Security Research Group (ISRG). Their goal was to create a 100% encrypted web. They disrupted the industry by making SSL certificates:

Free: Zero cost.
Automated: No email back-and-forth; software handles the installation.
Open: Available to anyone with a domain name.

6. The Price: Free vs. Paid Certificates

If Let's Encrypt is free, why do people still pay for certificates?

Free (Let's Encrypt): $0

Validation Level: Domain Validation (DV) only. This proves you own the domain name, but it does not vet your company as a legitimate business.
Use Case: Blogs, portfolios, informational sites, small e-commerce shops.
Support: None (community forums only).

Paid Certificates: $10 to $200+ per year

Commercial CAs charge money because they offer higher levels of validation and insurance.

Organization Validation (OV): The CA manually checks government databases to ensure your business is a real legal entity.
Extended Validation (EV): The highest level of background check.
Warranties: Paid certificates come with "insurance." If the encryption is cracked due to a failure on the CA's end, they offer a financial payout.
Support: You can call a customer service line if the installation fails.

The Verdict on Price: For 95% of website owners, the free Let's Encrypt certificate is perfectly adequate. The encryption strength (math) is exactly the same as the paid versions.

Summary

HTTP is unsafe; HTTPS is safe.
SSL/TLS is the encryption tool that makes HTTPS possible.
CAs are the companies that issue the digital ID cards (certificates).
Let's Encrypt democratized security by offering these for free.