Confidentiality

Without HTTPS, your connection could be hijacked via a man in the middle attack. The address in the browser may tell you that it is the domain you expect to have loaded, but in reality, it could be bad guy in the middle.

Let's start by defining different scenarios:

Normally when you connect to a website using HTTP, the conversation is in plain text. In general, the conversation contains nothing sensitive. But a bad person could snoop on your traffic and use the information they find to do bad things, as shown in the following image:

This is amplified when you use public Wi-Fi. These networks are great for connecting to the internet for free, but poor for personal security.

Once the eavesdropping bad guy identifies your session, they could intercept the conversation and route you to their server. Now any information you share with the desired site is sent to the bad guy's server instead, as shown in the following image:

While somewhat sophisticated, it happens more times than you might think.

Let's change the scenario so that all those involved are using HTTPS. Now all the communication is encrypted. The only thing the bad guy can see is what domain(s) you visit, not even the URLs on those domains, as shown in the following image:

The connection between the client and server cannot be hijacked. If a bad actor tries to hijack the session, both the client and server know there is a problem and the conversation ends.