When you visit www.reddit.com, how do you know the webpage you are loading came from the Reddit Company and not Vlad’s House of Stolen Personal Info?
Vlad could have intercepted the reddit webpage, made a web page that look exactly like reddit, except it sends him your password, login and whatever else you would give reddit to run.

The answer is that reddit went to a **Certificate Authority** and gave them a special number called a Public Key. If you have this public key, you can encrypt stuff so that only reddit can read it. Reddit can also make this thing called a signiture, which you can use the public key to confirm that reddit made it.

Certificate Authorities also have a public key. You probably had the public key for one or more major Certificate Authorities installed along with your browser.

So when you receive a message with reddit’s public key, since the Certificate Authority signed it, you know that it’s actually from the Certificate Authority, and then you can figure out if the page you got was actually from reddit.

Now when you load reddit, and you get the key and find out the signature doesn’t match, your browser raises hell and warns you about an invalid Certificate. It means that website you loaded could have been sent by Vlad and not reddit.
More likely though it’s just your coffee shop wifi substituting a wifi login page for reddit. The browser doesn’t care about what’s actually being shown, just that the signature doesn’t match.