Don’t Rely on the Padlock: What the Lock Icon in Your Browser Really Means

Not much.

For years — decades, even — we’ve been told to make sure that we’re using an “https” connection when connecting to sensitive websites like banks or email providers. That provided a specific level of security that was particularly important and not always present.

Today, it’s ubiquitous. Https is almost everywhere.

As an interesting side effect, the significance of that little https “lock” icon has decreased dramatically.

The https padlock

The tiny lock icon only shows that your browser uses HTTPS, which encrypts your data and proves that the site owns that name. It doesn’t prove the site is legit. Pay attention to a cracked lock icon or error message. Trust the lock for privacy, but judge the website for yourself.

Https defined

Http is the protocol or computer conversational language used for transferring webpages from web servers to your browser.

Https adds two things to http:

• Data encryption
• Identity confirmation

Https encryption

By definition, http is unencrypted. That means anyone with the ability to monitor an http conversation can see what it contains. This might include your ISP, someone within range of the open Wi-Fi hotspot you’re using, or the infrastructure of the internet anywhere between your computer and the website you’re accessing.

Before an https conversation starts, your computer and the remote website agree on an encryption key that is then used to hide the contents of your conversation. Only your browser and the remote website can see what data you’re exchanging, regardless of who might have access to the stream of data.

Https identity confirmation

Before the conversation even begins, though, https also confirms that the remote site is the site it claims to be. Setting up https involves getting a digital certificate from a third party that is assigned to the specific website domain you claim to be.

For example, when you visit askleo.com using https, your browser first confirms that the digital certificate on the server it connects to is the certificate for askleo.com. This protects your conversation from being intercepted and redirected to an impostor site.

Https confirms you’re connected to the site you asked to connect to, not an impostor.

The padlock

The padlock icon is typically at the far right of your address bar, though fewer and fewer browsers bother to display it anymore.

It indicates two things:

• An https connection is being used.
• The https connection is or is not secure.

Https in use

The mere presence of the icon, or some variation of it, tells you that the https protocol is being used. At a minimum, this means your data is being encrypted between your browser and the remote website you’ve connected to.

While encryption is good, it isn’t enough to consider the connection truly secure.

Https security

The icon can indicate normal or some “broken” form of https security.

When the normal icon is displayed, all is well. Your connection is encrypted, and the site you’re connecting to is the site it claims to be.

When the icon has a line through it, is displayed in red, or is replaced by “Not secure” or similar indications, something’s amiss. The primary reasons this happens include:

• The certificate used by the website has expired. (This might be the most common you’ll encounter.)
• The certificate is from an unofficial or unrecognized authority, so the identity of the site cannot be confirmed to match what you asked for.
• The certificate indicates that it’s for a different website than the website you asked for.

At face value, this error means you can’t trust the website you’ve connected to. (In practice, if you know what to look for, it’s not uncommon to use additional information to confirm whether the error is truly significant. For example, we often ignore the error about a certificate having expired if that expiration is less than a day or so. Webmasters occasionally forget to renew.1)

Related

How Can an Https Website Still Not Be Secure?

Surprisingly, it's possible for aspects of an https site to still not be secure, if the site is improperly designed. And it's extremely difficult to tell.
#3461

What the icon does not tell you

I chose my words above very carefully:

“…https also confirms that the remote site is the site it claims to be…”

This is not the same as:

“….https confirms that the remote site is the site you think it is.”  Https does not do this.

Here are two examples of sites that may have valid https certificates and show a normal https lock icon:

• www.ebay.com
• www.ebay.com.somerandomservice.com

The first is legitimate. The second might be a scammer trying to fool you, but the status of https will not tell you that anything is wrong.

Why?

Https is everywhere

Originally, https certificates cost money. This acted as both a barrier to entry and added a level of accountability.

To improve privacy and other aspects of online security, https certificates can now be acquired for free. This is great for website owners with several websites, who would otherwise have to choose between the privacy and security https provides versus the recurring cost of a certificate for each site.

Now, anyone can easily set up https for their websites for free.

And anyone, of course, includes scammers.

Since most websites now use https, its significance has faded. Many browsers don’t bother to show the padlock unless there’s a problem.

Podcast audio

Download (right-click, Save-As) (Duration: 8:06 — 7.5MB)

Subscribe: RSS