HTTPS traffic protection limits

HTTPS traffic protection limits

Posted on by Toma Velev

HTTPS adds protection to the content of your web traffic (what you send and receive) on an unsecured network, but it has limits – it is not a fully complete defense. There are important limits and remaining risks.

What HTTPS does well

  • Encrypts the HTTP request and response body and headers (so eavesdroppers on the same Wi-Fi can’t read the page content, passwords, forms, etc.).
  • Ensures integrity (an attacker can’t silently modify the page or resources without breaking the TLS connection).
  • Provides server authentication via certificates (the browser can detect invalid/fake certs and warn you).

What HTTPS does not fully protect against

  • Compromised device or browser: malware, malicious browser extensions or an infected OS can read or modify data before it’s encrypted.
  • Metadata exposure: observers still see IP addresses you connect to, and some DNS queries and SNI (the domain name) unless additional protections (DoH/DoT, ECH) are used.
  • Man-in-the-middle with forged certs: if a CA is compromised or the attacker installs a trusted root CA on your machine (or coerces a CA), they can impersonate sites. Browsers normally warn about bad certs, but users sometimes ignore warnings.
  • Captive portals and downgrade: on some public Wi-Fi you may be forced through a captive portal before TLS; attackers can try to intercept non-HTTPS resources.
  • Server-side security: HTTPS doesn’t protect you if the website itself is insecure (leaks data, stores passwords poorly).
  • Active network attacks on old TLS: older TLS versions/ciphers have weaknesses—servers and clients must use modern TLS (1.2+ ideally 1.3) and good ciphers.

Practical advice (for users)

  • Always prefer HTTPS (look for the lock).
  • Don’t ignore browser certificate warnings.
  • Use a reputable VPN on untrusted public Wi-Fi for extra protection and to hide metadata from the local network.
  • Use mobile data for very sensitive transactions if possible.
  • Keep OS and browser up to date; remove suspicious extensions.
  • Consider DNS-over-HTTPS/TLS in your browser or system to reduce DNS leaks.

Practical advice (for site owners / developers)

  • Serve only TLS 1.2+ (prefer TLS 1.3); disable old protocols and weak ciphers.
  • Enable HSTS so browsers automatically upgrade to HTTPS.
  • Use secure cookies, set Strict-Transport-Security, enable OCSP stapling, use strong certs and automated renewal.
  • Consider certificate pinning (carefully) for apps.
  • Support DoH/DoT/DNSSEC and consider ECH when available to reduce metadata leaks.

Bottom line

HTTPS is essential and very effective at protecting content on unsecured networks, but it’s not a silver bullet. Combine HTTPS with good endpoint hygiene (secure device/browser), optional VPNs or encrypted DNS for extra privacy, and modern TLS best practices on the server to get close to a strong protection posture.