Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Don’t Rely on the Padlock: What the Lock Icon in Your Browser Really Means

Not much.

Https is important, but now that it's ubiquitous it's not really protecting you as much as you might think. I'll explain what I mean and why that is.
https padlock
(Image: canva.com)

For years — decades, even — we’ve been told to make sure that we’re using an “https” connection when connecting to sensitive websites like banks or email providers. That provided a specific level of security that was particularly important and not always present.

Today, it’s ubiquitous. Https is almost everywhere.

As an interesting side effect, the significance of that little https “lock” icon has decreased dramatically.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

The https padlock

The tiny lock icon only shows that your browser uses HTTPS, which encrypts your data and proves that the site owns that name. It doesn’t prove the site is legit. Pay attention to a cracked lock icon or error message. Trust the lock for privacy, but judge the website for yourself.

Https defined

Http is the protocol or computer conversational language used for transferring webpages from web servers to your browser.

Https adds two things to http:

Https on askleo.com.
Https icon on askleo.com. Click for larger image. (Screenshot: askleo.com)

Https encryption

By definition, http is unencrypted. That means anyone with the ability to monitor an http conversation can see what it contains. This might include your ISP, someone within range of the open Wi-Fi hotspot you’re using, or the infrastructure of the internet anywhere between your computer and the website you’re accessing.

Before an https conversation starts, your computer and the remote website agree on an encryption key that is then used to hide the contents of your conversation. Only your browser and the remote website can see what data you’re exchanging, regardless of who might have access to the stream of data.

Https identity confirmation

Before the conversation even begins, though, https also confirms that the remote site is the site it claims to be. Setting up https involves getting a digital certificate from a third party that is assigned to the specific website domain you claim to be.

For example, when you visit askleo.com using https, your browser first confirms that the digital certificate on the server it connects to is the certificate for askleo.com. This protects your conversation from being intercepted and redirected to an impostor site.

Https confirms you’re connected to the site you asked to connect to, not an impostor.

The padlock

The padlock icon is typically at the far right of your address bar, though fewer and fewer browsers bother to display it anymore.

It indicates two things:

  • An https connection is being used.
  • The https connection is or is not secure.

Https in use

The mere presence of the icon, or some variation of it, tells you that the https protocol is being used. At a minimum, this means your data is being encrypted between your browser and the remote website you’ve connected to.

While encryption is good, it isn’t enough to consider the connection truly secure.

Https security

The icon can indicate normal or some “broken” form of https security.

Https error.
Https error. Click for larger image. (Screenshot: askleo.com)

When the normal icon is displayed, all is well. Your connection is encrypted, and the site you’re connecting to is the site it claims to be.

When the icon has a line through it, is displayed in red, or is replaced by “Not secure” or similar indications, something’s amiss. The primary reasons this happens include:

  • The certificate used by the website has expired. (This might be the most common you’ll encounter.)
  • The certificate is from an unofficial or unrecognized authority, so the identity of the site cannot be confirmed to match what you asked for.
  • The certificate indicates that it’s for a different website than the website you asked for.

At face value, this error means you can’t trust the website you’ve connected to. (In practice, if you know what to look for, it’s not uncommon to use additional information to confirm whether the error is truly significant. For example, we often ignore the error about a certificate having expired if that expiration is less than a day or so. Webmasters occasionally forget to renew.1)

What the icon does not tell you

I chose my words above very carefully:

“…https also confirms that the remote site is the site it claims to be…”

This is not the same as:

“….https confirms that the remote site is the site you think it is.”  Https does not do this.

Here are two examples of sites that may have valid https certificates and show a normal https lock icon:

  • www.ebay.com
  • www.ebay.com.somerandomservice.com

The first is legitimate. The second might be a scammer trying to fool you, but the status of https will not tell you that anything is wrong.

Why?

Https is everywhere

Originally, https certificates cost money. This acted as both a barrier to entry and added a level of accountability.

To improve privacy and other aspects of online security, https certificates can now be acquired for free. This is great for website owners with several websites, who would otherwise have to choose between the privacy and security https provides versus the recurring cost of a certificate for each site.

Now, anyone can easily set up https for their websites for free.

And anyone, of course, includes scammers.

Since most websites now use https, its significance has faded. Many browsers don’t bother to show the padlock unless there’s a problem.

Do this

Simply remember this: the https padlock indicates a connection is secure, but it does not mean the website you’re connecting to is secure or trustworthy. That’s a different discussion.

Pay attention if the padlock or your browser indicates there’s a problem with the https connection.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: I can speak to this with the voice of experience.

4 comments on “Don’t Rely on the Padlock: What the Lock Icon in Your Browser Really Means”

  1. Hi Leo,
    Today, AS USUAL, when I came to your email message I thought, “OMG, Another one? Now what.”

    And AS USUAL, I quickly read through the intro.

    Today, and which happens QUITE OFTEN, I decided to continue reading into the body of the message.

    And AS USUAL, when I completely read through the entire article, I WAS GLAD THAT I DID!!

    Thanks Leo

    Reply
  2. “The padlock icon is typically at the far right of your address bar”. Don’t you mean Left?

    And as you said, it’s not always a padlock. On Chrome, this is what I get:
    Not always a lock icon In that case, it’s the position, not necessarily the icon that matters.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.