Not much.
For years — decades, even — we’ve been told to make sure that we’re using an “https” connection when connecting to sensitive websites like banks or email providers. That provided a specific level of security that was particularly important and not always present.
Today, it’s ubiquitous. Https is almost everywhere.
As an interesting side effect, the significance of that little https “lock” icon has decreased dramatically.
Become a Patron of Ask Leo! and go ad-free!
The https padlock
The tiny lock icon only shows that your browser uses HTTPS, which encrypts your data and proves that the site owns that name. It doesn’t prove the site is legit. Pay attention to a cracked lock icon or error message. Trust the lock for privacy, but judge the website for yourself.
Https defined
Http is the protocol or computer conversational language used for transferring webpages from web servers to your browser.
Https adds two things to http:
- Data encryption
- Identity confirmation
Https encryption
By definition, http is unencrypted. That means anyone with the ability to monitor an http conversation can see what it contains. This might include your ISP, someone within range of the open Wi-Fi hotspot you’re using, or the infrastructure of the internet anywhere between your computer and the website you’re accessing.
Before an https conversation starts, your computer and the remote website agree on an encryption key that is then used to hide the contents of your conversation. Only your browser and the remote website can see what data you’re exchanging, regardless of who might have access to the stream of data.
Https identity confirmation
Before the conversation even begins, though, https also confirms that the remote site is the site it claims to be. Setting up https involves getting a digital certificate from a third party that is assigned to the specific website domain you claim to be.
For example, when you visit askleo.com using https, your browser first confirms that the digital certificate on the server it connects to is the certificate for askleo.com. This protects your conversation from being intercepted and redirected to an impostor site.
Https confirms you’re connected to the site you asked to connect to, not an impostor.
The padlock
The padlock icon is typically at the far left of your address bar, though fewer and fewer browsers bother to display it anymore.
It indicates two things:
- An https connection is being used.
- The https connection is or is not secure.
Https in use
The mere presence of the icon, or some variation of it, tells you that the https protocol is being used. At a minimum, this means your data is being encrypted between your browser and the remote website you’ve connected to.
While encryption is good, it isn’t enough to consider the connection truly secure.
Https security
The icon can indicate normal or some “broken” form of https security.
When the normal icon is displayed, all is well. Your connection is encrypted, and the site you’re connecting to is the site it claims to be.
When the icon has a line through it, is displayed in red, or is replaced by “Not secure” or similar indications, something’s amiss. The primary reasons this happens include:
- The certificate used by the website has expired. (This might be the most common you’ll encounter.)
- The certificate is from an unofficial or unrecognized authority, so the identity of the site cannot be confirmed to match what you asked for.
- The certificate indicates that it’s for a different website than the website you asked for.
At face value, this error means you can’t trust the website you’ve connected to. (In practice, if you know what to look for, it’s not uncommon to use additional information to confirm whether the error is truly significant. For example, we often ignore the error about a certificate having expired if that expiration is less than a day or so. Webmasters occasionally forget to renew.1)
Related
How Can an Https Website Still Not Be Secure?
Surprisingly, it's possible for aspects of an https site to still not be secure, if the site is improperly designed. And it's extremely difficult to tell.#3461
What the icon does not tell you
I chose my words above very carefully:
“…https also confirms that the remote site is the site it claims to be…”
This is not the same as:
“….https confirms that the remote site is the site you think it is.” Https does not do this.
Here are two examples of sites that may have valid https certificates and show a normal https lock icon:
- www.ebay.com
- www.ebay.com.somerandomservice.com
The first is legitimate. The second might be a scammer trying to fool you, but the status of https will not tell you that anything is wrong.
Why?
Https is everywhere
Originally, https certificates cost money. This acted as both a barrier to entry and added a level of accountability.
To improve privacy and other aspects of online security, https certificates can now be acquired for free. This is great for website owners with several websites, who would otherwise have to choose between the privacy and security https provides versus the recurring cost of a certificate for each site.
Now, anyone can easily set up https for their websites for free.
And anyone, of course, includes scammers.
Since most websites now use https, its significance has faded. Many browsers don’t bother to show the padlock unless there’s a problem.
Do this
Simply remember this: the https padlock indicates a connection is secure, but it does not mean the website you’re connecting to is secure or trustworthy. That’s a different discussion.
Pay attention if the padlock or your browser indicates there’s a problem with the https connection.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: I can speak to this with the voice of experience.
Hi Leo,
Today, AS USUAL, when I came to your email message I thought, “OMG, Another one? Now what.”
And AS USUAL, I quickly read through the intro.
Today, and which happens QUITE OFTEN, I decided to continue reading into the body of the message.
And AS USUAL, when I completely read through the entire article, I WAS GLAD THAT I DID!!
Thanks Leo
Where can I get an HTTPS for free?
It’s an https certificate, and you can get it at https://letsencrypt.org/. It’s not trivial do to manually, but many website management tools can do it as well.
“The padlock icon is typically at the far right of your address bar”. Don’t you mean Left?
And as you said, it’s not always a padlock. On Chrome, this is what I get:
In that case, it’s the position, not necessarily the icon that matters.
The other right.
Fixed.
Hi Leo, thanks, food for thought. When I was first setting up my first website I added a Sectigo certificate to my site, later my host or rather CyberPanel switched to LetsEncrypt only and now I cannot re-apply my Sectigo certificate at all. To me the addition of a third party cert with it’s extra buyer protection and logo on my site which could be clicked upon for extra information would be a confidence booster on my hobby/startup website. Would it be better for me to change to a panel that supports 3rd party certs such as Sectigo. Jim.
Typical, as soon as I ask for advice I find the answer, what happened was an update on my host blew out my Sectigo cert and they reverted it to their own LetsEncrypt SSL issue. In trying to fix it I viewed the hosts ‘Issue SSL’ (which just applies LetsEncrypt). However pursuing further after reading your article I took a look sideways, so to speak, and found that via CyberPanel, it was possible to re-apply my Sectigo Cert, so I was looking in the wrong place. This requirement to re-issue annually is a real pain. Anyway, thanks Leo , your article gave me the nudge I required. However what you say is really that the value of an SSL can be misleading to a buyer on an ecommerce site especially when it’s just a free LetsEncrypt, I think that a Sertigo EssentialSSL is better at only a modest fee, your views? Jim
Most people don’t care. Most people don’t look, and of those most wouldn’t understand the difference. IMO it’s not worth it. You can see askleo.com uses LetsEncrypt, all handled transparently by my site management software.
Honestly, unless there’s some really compelling reason your site/niche would benefit from a paid certificate, I’d not take on the work of moving to a different management panel.