← field notes

How the Padlock Behind HTTPS Really Works

somewhere in a browser right now a small padlock sits beside a website’s name, and almost nobody looking at it knows what it actually promises. most read it as a lock on a door, safe to type a password into. but that is not what it is. the padlock is a promise, and the strange part is who makes it. not the website, not the browser, but a third party the reader has almost certainly never heard of, vouching in that instant that the site on screen is genuinely who it claims to be. the safety of the modern web rests on whether a promise from that stranger can be trusted.

the problem the padlock solves

a request for a website travels through a long chain of networks nobody controls, and something along that path could sit in the middle, pretending to be the wanted site and capturing everything.

so two things have to be guaranteed: that nobody in the middle can read what passes between the visitor and the site, and, harder and more interesting, that the site answering is the real one and not an impostor wearing its name. in the early web neither existed. traffic crossed the internet in the open, with no reliable way to know whether the machine answering was genuine. tolerable when the web was mostly public pages, it became unacceptable the moment people began typing passwords, card numbers and private messages into it.

why encryption alone is not enough

it is tempting to think encryption solves this, but it does not. encryption hides the contents but says nothing about who is on the other end. a secure line to a liar is still a line to a liar.

the real puzzle was never scrambling the message. it was identity: how does a machine that has never met this website prove the site answering really is the one whose name was typed.

the introducer

the answer the web settled on is the one human society reaches for when two strangers must trust each other: bring in a third party they both already trust. that introducer is called a certificate authority. its job is to verify that a website genuinely controls the name it claims, and then to vouch for it. the site proves it really runs the domain, usually by doing something only the true owner could, like placing a specific token at a specific address under it, and receives a signed document saying so.

notice the shift: the visitor no longer trusts the website at all, only the introducer, who has done the checking so nobody else has to. it is delegation of trust, running under every secure connection.

what the certificate actually says

that signed document is the certificate. at its heart it binds two things together: a name, the website’s domain, and a cryptographic key belonging to that site. the certificate is the authority’s signed statement that this key truly belongs to this name.

so when a browser opens its encrypted connection using that key, it is scrambling to a key a trusted authority has formally tied to the name that was intended. that binding is the whole point.

the chain of trust

but why would a browser trust that authority. the answer is a structure called the chain of trust. a website’s certificate is signed by an authority, but that authority’s own credentials are in turn signed by something above it, and so on, climbing a short ladder to a small number of supremely trusted points at the top, called roots. each link vouches for the one below it, so trust does not float freely.

the reason for the ladder, rather than letting every authority be a root, is safety. the roots are so precious they are kept locked away and used as little as possible, while the daily work of signing millions of certificates falls to intermediate authorities that can be replaced if something goes wrong without disturbing the roots above. it is a deliberate architecture of distance, so a failure near the bottom never reaches the top.

the browser’s preloaded list

here is the part almost nobody realizes. a browser, or the device it runs on, ships with a built in list of those root authorities, baked in before it is ever opened: a few hundred organizations worldwide the device has been told, in advance, to trust absolutely.

when a site’s certificate chains up to one of those preinstalled roots, the promise is accepted and the padlock appears. when the chain leads to a root the device has never heard of, or nowhere valid at all, the browser refuses and the full screen warning appears instead. that quiet, preloaded list of trusted strangers is, in a real sense, the foundation the whole secure web stands on.

picture the moment a connection to a secure site opens. the site presents its certificate and the chain above it, and the browser checks four things: that every signature in the chain is valid, that the chain ends at a root it already trusts, that the name matches the site that was asked for, and that the document has not expired. only if all of them hold does it complete the connection and show the padlock. all of it happens silently in a fraction of a second, billions of times a day. a lock appears; underneath, a full trial of identity just concluded.

taking a promise back

but promises sometimes have to be withdrawn, and this is one of the hardest parts of the system. suppose a website’s secret key is stolen, or a certificate was issued in error. it might still look valid, still chain up to a trusted root, still pass every ordinary check, even though it should no longer be believed.

so there has to be a way to revoke a promise already made, to broadcast that this certificate is dead. building a fast, reliable way to spread that distrust across the internet, and to make browsers actually listen, has been one of the persistent weak points of the design, patched and repatched for years.

how the trust is attacked

told strictly as how the trust is attacked and defended, the adversarial side has a few targets. the first is a website’s secret key, because whoever holds it can impersonate that site convincingly. the second is the certificate authority itself: an attacker who tricks or compromises an authority into issuing a certificate for a name they do not own gets a perfectly valid promise for a site that is not theirs, and browsers will believe it.

and there is the simplest trick, a name that looks almost identical to a trusted one, a single character changed, dressed in a genuine certificate for a domain that technically belongs to the impostor. that one reveals a limit of the whole system. the certificate honestly proves the impostor controls their lookalike name; it was never designed to judge whether that name was chosen to deceive a human reading quickly. the machinery verifies the name, not the intent, and that gap between technically valid and actually honest is where much of the modern fight now lives.

the layered defenses

the defenses have grown sharper over time, and are layered on purpose. one is transparency: every certificate an authority issues is now logged in public, append only records, so the whole world can watch for one that should never have been granted, and a domain owner can spot someone obtaining a certificate for their name without permission.

another is shortening how long any certificate stays valid, so that even a mistaken or stolen one expires quickly and the damage window stays small. and browsers and authorities keep raising the bar on what proof a site must show before a certificate is granted. each layer assumes the others can fail.

the power at the center

it would be dishonest to present this as clean and settled, so name the tension at its core. the entire system rests on trusting a few hundred root authorities, completely, in advance. any one of them, if compromised or coerced or simply careless, can issue a promise the whole web will believe, for a site that is not what it claims. and the trust is not symmetrical: any single root can vouch for any site on the web, so the whole is only ever as strong as the least careful member of the club.

this is the shape every system on this channel seems to take. not one clean mechanism that settles the matter, but a stack of imperfect defenses weighted against each other, transparency logs and short lifetimes and rising proof, none trusted alone, each covering a little of where the others fail, holding an uneasy line. the cryptography is sound, the seal is real, and it holds because a great many people have agreed, collectively, to trust a small club of gatekeepers they never chose and mostly cannot name.

what the padlock really is

so here is the part to sit with. that small padlock, the one people are trained to look for, is not a wall and not a lock. it is the visible tip of an invisible web of trust, a chain of vouching that climbs from the website in front of a visitor up to a handful of strangers their device decided to believe before it was ever turned on.

it works so smoothly nobody thinks about it, which is exactly the point. but once the padlock is understood for what it really promises, and who is really making that promise, the web reads differently: not a sealed door, but a fragile, brilliant chain of trust stretched across the whole internet, held together by signatures from people the visitor will never meet.

The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.

watch
The Hidden Internet on YouTube

Every field note starts as a short documentary. Watch the systems in this piece explained on screen.

subscribe →
read on
More field notes

The rest of the series on how the modern internet detects, tracks, and sorts the traffic that reaches it.

browse the archive →