Ports

Port 443: HTTPS

Encrypted web traffic. Most commonly TCP, and increasingly UDP for HTTP over QUIC.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

Port 443 is the default port for HTTPS, meaning HTTP carried inside a TLS protected channel. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host. A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections.

The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate. Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network.

In the common TCP based case, the client opens a TCP connection to destination port 443, performs the TCP handshake, then performs a TLS handshake where the server proves its identity with a certificate and both sides derive encryption keys. Only then do HTTP requests and responses flow inside the encrypted tunnel, often with connection reuse for many requests.

Modern web stacks also use HTTP over QUIC, known as HTTP/3, which runs over UDP on port 443. That is why you may see both TCP 443 and UDP 443 involved in web traffic.

Port 443 matters because it is the most common externally reachable service on the internet, so it is both a business critical entry point and a favorite hiding place for tunneling and command and control. Encryption protects transport confidentiality, but application vulnerabilities, weak authentication, and misconfiguration are still the real risks on 443.

How it works in broad strokes

  1. Client opens a TCP connection and performs a TLS handshake to agree on keys and verify the certificate.
  2. Inside the encrypted tunnel, the client sends HTTP requests and receives responses.
  3. Modern stacks may use HTTP/2 or HTTP/3, and can reuse connections for many requests.

Concrete example

A user visits a site. The browser verifies the certificate during the TLS handshake, then sends an HTTP GET. Even though the traffic is encrypted, the server logs still show the request path and status code.

Why it matters

Port 443 is the most common external exposure on the internet. Security posture depends on TLS configuration, certificate hygiene, and application security. In investigations, 443 traffic can be legitimate web use or it can hide tunneling, proxies, and command and control.

Security angle

  • Use strong TLS configurations and automate certificate rotation.
  • Apply web security controls such as WAF rules, rate limiting, and robust authentication.
  • Inspect logs for unusual paths, user agents, and request volumes. Encryption does not remove the need for visibility.

Common pitfalls

  • Assuming HTTPS means safe. The transport is encrypted but the application can still be vulnerable.
  • Weak TLS settings, expired certificates, or missing certificate validation in clients.
  • Exposing admin endpoints on 443 because it feels normal, without access controls.