How does HTTPS work, end to end, when you visit a website?

5 minintermediatehttpstls-handshakednstcp

Quick Answer

Your browser first resolves the domain to an IP address with DNS, then opens a TCP connection to the server. Next comes the TLS handshake: the browser and server agree on encryption settings, verify the server's certificate, and derive a shared encryption key. After that, the browser sends its HTTP request, and the server's HTTP response, all encrypted using that shared key.

Detailed Answer

Visiting https://example.com involves several layers working together, in order:

1. DNS lookup        Browser asks: "what is the IP address for example.com?"
                      |
                      v
2. TCP connection     Browser opens a TCP connection to that IP, usually on port 443
                      |
                      v
3. TLS handshake      Browser and server agree on TLS version, cipher suite,
                      verify the server's certificate, and derive a shared key
                      |
                      v
4. HTTP over TLS      Browser sends the HTTP request, encrypted
                      Server sends the HTTP response, encrypted
                      |
                      v
5. Page rendering     Browser decrypts the response and renders the page

Step by step:

  1. DNS resolution — the domain name is turned into a server IP address.
  2. TCP handshake — a reliable connection is set up between browser and server (the standard TCP SYN / SYN-ACK / ACK exchange).
  3. TLS handshake — covered in detail in the next question. This is where encryption gets set up and the server's certificate gets checked.
  4. Encrypted HTTP exchange — once the handshake finishes, every request and response is encrypted using the shared key from the handshake.
  5. Rendering — the browser decrypts the response and displays the page.

All of this typically happens in well under a second. Modern TLS (version 1.3) is designed specifically to keep step 3 as fast as possible, since it adds a full round trip of network latency before any real data can be sent.

Related Resources