When the web was first developed there wasn’t much thought given to safety and security.

The way the system works is that you have a name like reddit.com and ask around where you can find the webserver that operates under that name and then go there and ask it for a website.

The “ask around” part is done via DNS a system that translates names into IP addresses.

The trouble is there is no guarantee that those addresses really belong to the owner of the domain. Somebody between you and there could fake stuff and pretend to be the website.

They could pretend to be reddit or facebook or your bank and show you fake content or trick you into entering your username and password.

Also all communication with those sites is in clear text that means anyone along the way can read everything.

It is like writing confidential information on a postcard and trust that the letter carrier and everyone who handles the postcard at the post office won’t read it.

This is good enough for “Wish you were here” or “happy birthday” type of messages but not for anything that you want to keep secret.

this is where https comes in.

It involves a certificate that guarantees that the one operating the web-server is allowed to do so by the owner of the domain. it also encrypts all your communication with the site so that anyone between you and it doesn’t know what content you exchanged.

This is why you should only ever enter any data like usernames and passwords when you communicate over https.

One issue you might already have notice is the certificate, who guarantees that it isn’t fake. the answer involves a lot fo complicated math and chains of trust.

You trust the certificate because it was issued by someone you trust and you trust them because they have a certificate that was issued by someone else you trust. There is a chain that goes several links up to a small number of organizations whose main business is being trustworthy.

Since there is a lot of money to be made by trying to break into this chain of trust, a lot of work has to go into maintaining it.

If at some point any of the links in that chain gets broken and someone steals the metaphorical stamp of authenticity they could do a lot of damage with that.

To limit the danger compromised certificates are revoked all the time and your computer will check any certificate against the list of stuff that you shouldn’t trust any longer.

Similarly all certificates come with an expiry date, so finding a valid certificate from years ago will not help any hackers.

The expiration is a bit of a problem however.

If the people who run the website forget to renew the certificate before it expires. anyone visiting the site get a message that the website doesn’t have a valid certificate and that they might not be trustworthy.

You can think of it like an personal ID or passport that guarantees who you say you are. Those expire eventually.

If you try to travel abroad on an expired passport you will encounter problems. The passport may have been genuine, but it is no longer valid and they won’t let you in.