HTTP sends data in plain text, without any sort of verification. If you’re a malicious actor it’s a dream.

While you need to understand a little bit of cryptography to fully understand it we can simplify a lot of you just accept public/private keys work. If you want to learn more about it you can read the wiki, but for the time being just accept that there’s a way to generate a pair of keys, a public one you share with the world, and a private one only you know, and that with these it’s possible for people to use the public key to send messages that only you can read, and for you to use the private keys to sign messages in a way that anyone can verify it’s you using the public key.

So, HTTP is just a protocol to send text over the network, anyone can grab a package and read it. To make it secure there are some specific sites that contain a list of sites and their public keys. Your browser has an internal list of these sites. When you try to access, for example Google, your browser contacts one of these sites, and asks for Google’s public key, when it gets it it encrypts the message leaving only the header (which says this message is for Google) unencrypted and sends it. For everyone in the middle of the road they see a message for Google containing garbage, but when Google gets it they use their private keys to read it. Then whatever they reply they can sign it so that you can use the key to verify it came from them.

With that in mind you might have noticed that what the server sends you back is plain text and publicly viewable. Therefore, every time you connect to a website there needs to be a handshake procedure, in short you send a message to the site (encrypted with his public key) telling it to reply to you using a public key you send them, now besides signing the message they also encrypt it using the key you gave them. And voila, no one can know what you said to the server because you encrypted it with its public key, and no one can know what the server told you because it encrypted it with your public key.

This is a simplification of the protocol, but that’s the core idea on how it works. You also might have noticed that everyone can see who you’re talking too, and that there’s no way around that since your message has to reach the server other computers HAVE to know where to send it to. But, if you have access to another computer to use as a Hub, you can send messages to that computer encrypted with its public key where the content is an encrypted message to the site you’re actually trying to access, so no one knows where they go afterwards, and it can then send it to the site you’re trying to access. When it gets the response it can then encrypt it to send to you.

That doesn’t really work if you’re the only one accessing that middle computer, but if lots of people do then it’s impossible to know what message is for who, because from the outside you see a bunch of messages directed to that computer, and a lot of messages from that computer to different sites. Some companies offer this service, its called Virtual Private Network, or VPN for short. Another reason why VPNs are important is that you have the public key on your system, so there’s less surface of attack.