Tech Friend: Why use VPN for HTTPS sites?

Tips & tricks
3 mins
Tech Friend column on HTTPS encryption.

Tech Friend is our advice column covering cybersecurity, privacy, and everyday technology. Email your question to techfriend@expressvpn.com. If you have questions about your ExpressVPN subscription or need troubleshooting help, please contact Support.


Can you help clarify something for me? It’s commonly stated that a VPN encrypts your data traffic from your device out to the internet. But how is this different to the website having a TLSv1.3 connection method (i.e., HTTPS)?

Furthermore, if the website is only HTTP, how does a VPN apply encryption? Is it fair to say that a VPN encrypts your traffic between your device (through to your ISP) and the VPN-controlled servers? Then from the servers outward to the internet, it really depends on the website you visit for any encryption protocol?

Submitted by: Brad

Great question. What exactly does a VPN bring to the table when most sites are already using HTTPS?

VPN and HTTPS can’t be thought of as replacements for each other; they protect against different threats.

Why use VPN with HTTPS?

When a web page uses the HTTPS protocol (rather than HTTP), as indicated by its URL, it means it uses TLS encryption to garble your transmissions between your browser and the website, so third parties like internet service providers and Wi-Fi network operators can’t see your activity.

However, they can still know what sites you visit. That’s by observing your DNS requests. DNS is like an address book for the internet. Every time you try to visit a web page by clicking on a link or typing in a URL, a DNS lookup occurs before you are brought to the correct web page. This query happens outside of the encrypted path between your browser and the website, and your ISP and Wi-Fi admin can still see what you’re looking at through DNS information.

This simple diagram illustrates how your ISP can see your DNS request even when the site uses HTTPS:

HTTPS encryption diagram.

When you connect with ExpressVPN turned on, our servers handle all of your DNS requests—not your ISP. In fact, because ExpressVPN secures your traffic, your ISP can’t even tell if you make a DNS request. We never log DNS requests, and when we look up a name on your behalf, all any other DNS server can see is our server address—they can never see you.

VPN encryption diagram.

As everyone on the same server shares the same DNS server as you, all the requests come from a single source, mingling your requests in with everyone else’s. Even if someone were to be interested in DNS traffic, they wouldn’t be able to isolate any particular user.

So a VPN’s encryption provides broader coverage than HTTPS encryption. But there are also other benefits, such as the website you visit not being able to see your real IP address, increasing your privacy.

Other risks that are not mitigated by HTTPS but that can be mitigated with a VPN include man-in-the-middle and downgrade attacks, such as in cases where attackers trick your browser into connecting to the wrong endpoint or into reverting back to HTTP. HSTS helps prevent this, but this is still only used by a small minority of sites.

What does a VPN do when I visit HTTP sites?

You’re right, a VPN encrypts your traffic between your device (through to your ISP) and the VPN-controlled servers. Encryption is not actually “applied” to the HTTP page itself.

When you use a VPN to visit an HTTP site, the attack surface is greatly reduced, with everything from your device to the VPN server protected. Anyone between your device and the VPN server—like your ISP, Wi-Fi admins, attackers over public Wi-Fi—can’t see what you’re doing or make modifications (via a man-in-the-middle attack). And visits to the website and DNS lookups cannot be tied back to you.

It’s true that the HTTP web page remains unsecured. However, the fact remains that no one knows that activity is yours. But this does underscore why you should never input payment information into an HTTP site, even if you’re using a VPN. All legitimate sites accepting payment should use HTTPS; if a site doesn’t, question if it’s a fake shopping site.

The reassurance of a VPN

All of this hasn’t even touched on the reality that much of today’s internet traffic comes from mobile apps, where users don’t have any indication of whether HTTPS is being used.

A VPN is an easy way to ensure you are afforded strong protection against snooping and attacks, without having to worry about DNS leaks, technical issues on the website’s end, dodgy Wi-Fi, and other security risks that still exist even when visiting HTTPS sites.

Phone protected by ExpressVPN.
Privacy should be a choice. Choose ExpressVPN.

30-day money-back guarantee

A phone with a padlock.
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
Answering your online privacy, cybersecurity, and other everyday technology questions.