You’re justified in asking these questions. I suspect that there’s actually something that you’re missing on screen, which is fine.
I do want to cover just exactly what that padlock does (and does not) mean and what the https is all about.
Become a Patron of Ask Leo! and go ad-free!
Signs of a secure site
If you go to an https site, there’s a padlock somewhere, depending on the browser you’re using. You can test this out yourself by visiting an https site.
I’ll throw out https://secure.pugetsoundsoftware.com. That’s just a little example site of my own, but it has a valid certificate and displays a little green padlock to the left of the URL (in Chrome).
Extended verification certificates
There’s also something called extended verification certificates, which some sites will use. If you go to https://paypal.com, that will actually show you a slightly different item in place of the padlock.
In my case, the beginning of the address bar displays a bar with the padlock and the name of the entity (in this case, Paypal.com). That is a level of additional verification.
The issue with the extended validation certificates is simply that they are harder and more expensive to get. You have to prove a few more things about who you are before those certificates will get issued and obviously, you end up having to pay more money. They’re perfect for things like banks, PayPal, and those kinds of scenarios.
Warning signs on a secure site
Now, the padlock may occasionally show up with a line through it, in red, or something else. That typically means something’s wrong.
Usually, it’s an expired certificate, sometimes it’s a server misconfiguration, sometimes it’s user error (Ask Leo!, above, is not available over https). It could also be a clock problem; certificates are time and date based, so if the clock on your PC is wrong, then the validation of the certificate could fail.
It also may mean that the site has been hacked or you have malware on your machine.
In short, if the browser alerts you that something’s wrong with the certificate, don’t just blindly accept it.
Https should typically1 be safe as long as the padlock icon indicates that the certificate is correct. Then you know that you’re visiting the site that you believe you are visiting. But that padlock does need to be somewhere and if you can’t find it or it disappears for some reason, I would absolutely be suspicious. Take a breath and figure out what’s going on before you hand over any of your personal information.
Leo, when using Firefox 22.0 to navigate to https://secure.pugetsoundsoftware.com, the padlock icon doesn’t show up in green color – instead, it is gray color. Surprisingly, the same is true for a few of the major financial institutions I checked out (Wells Fargo and Chase Bank). The “https” is present but the padlock icon is gray color at those websites. Is this something users should be concerned about? Thanks…
That grey padlock is Firefox’ sign of a good https: SSL site. I just checked a dozen known to be secure https: sites. The gray ones are https: The green ones are https: with an additional validation certificate. Google Chrome shows the https: padlock in green.
https with grey padlock means the site may be safe but may have some content which are without https, such as images or other similar uploads.
No I think that Firefox has a completely different system than Chrome, so I would look up something like ” Firefox Search bar lock symbol meaning”
Occasionally I come across that ‘ .. certificate is out of date or invalid’ type messages even with apparently reputable sites. Just what does that ‘validity’ imply or mean, and how worried should we be when we get those messages?
Hi Leo,
Here is the latest Firefox update (Firefox 23) specifically regarding “The Lock” icon. Please note further down in the blog the phrase, “But since the the page is not fully encrypted the user will not see the lock icon in the location bar.” Please read the entire blog for a more detailed explanation.
I just wanted to bring this to the attention of anyone interested in the lock icon.
Mozilla Security Blog
Mozilla
Mixed Content Blocking in Firefox Aurora
May 16 2013
Firefox 23 moved from Nightly to Aurora this week, bundled with a new browser security feature. The Mixed Content Blocker is enabled by default in Firefox 23 and protects our users from man-in-the-middle attacks and eavesdroppers on HTTPS pages.
When an HTTPS page contains HTTP resources, the HTTP resources are called Mixed Content. With the latest Aurora, Firefox will block certain types of Mixed Content by default, providing a per-page option for users to “Disable Protection” and override the blocking.
What types of Mixed Content are blocked by default and what types are not? The browser security community has divided mixed content into two categories: Mixed Active Content (like scripts) and Mixed Passive Content (like images). Mixed Active Content is considered more dangerous than Mixed Passive Content because the former can alter the behavior of an HTTPS page and potentially steal sensitive data from users. Firefox 23+ will block Mixed Active Content by default, but allows Mixed Passive Content on HTTPS pages. For more information on the differences between Mixed Active and Mixed Passive Content, see here.
Mixed Content Blocker UI
Designing UI for security is always tricky. How do you inform the user about a potential security threat without annoying them and interrupting their task?
Larissa Co (@lyco1) from Mozilla’s User Experience team aimed to solve this problem. She created a Security UX Framework with a set of core principles that drove the UX design for the Mixed Content Blocker.
When a user visits an HTTPS page with blocked Mixed Active Content, they will see a shield icon in the location bar:
Clicking on the shield, the user will see options to “Learn More”, “Keep Blocking”, or “Disable Protection on This Page”:
If a user decides to “Keep Blocking”, the notification in the location bar will disappear:
If the user decides to Keep Blocking, the shield will disappear.
On the other hand, if a user decides to “Disable Protection on This Page”, all mixed content will load and the lock icon will be replaced with a yellow warning sign:
Yellow Warning Triangle appears after the user Disables Protection
When a user visits an HTTPS page with Mixed Passive Content, Firefox will not block the passive content by default. But since the page is not fully encrypted, the user will not see the lock icon in the location bar:
A page with Mixed Passive Content will show the Globe icon instead of the Lock icon.
Compatibility
We have a master tracking bug for websites that break when Mixed Active Content is blocked in Firefox 23+. In addition to websites that our users have been reporting to us, we are running automated tests on the Top Alexa websites looking for pages with Mixed Active Content. If you run into a compatibility issue with a website involving mixed content, please let us know in the master bug, or take a step further and contact the website to let them know. Chances are, their website is also broken on Chrome and/or Internet Explorer. Chrome and Internet Explorer also have Mixed Content Blockers, but their definitions of Mixed Active and Mixed Passive Content differ from slightly from Firefox’s definition.
Want to learn more?
Still curious and want to learn more details about the Mixed Content Blocker in Firefox? Check out this more detailed blog post or feel free to ask us questions on mozilla.dev.security.
I’m getting a lock with a yellow triangle in it on a site.
(The site uses SSL, but Google Chrome has detected insecure content on the page. Be careful if you’re entering sensitive information on this page. Insecure content can provide a loophole for someone to change the look of the page.)
Would I be silly to enter my credit card details here?
You definitely aren’t silly to mistrust a site like that. That message normally means that the stuff that is supposed to be secure is encrypted and there is other unencrypted information on the page. I said “supposed to be” because you can never be 100% sure that they got it right. Personally, I wouldn’t enter my credit card information on this kind of page.
http://ask-leo.com/can_i_get_rid_of_the_this_page_contains_both_secure_and_nonsecure_items_warning.html
I got a website with a yellow browser, but said that someone on the network can change the look of the page. What does that mean? And if it’s not so good, unfortunately I’ve already bought something from the site.
Hi Leo – earlier in 2014 Yahoo announced they would be making all Yahoo Mail HTTPS enabled by default. When I first sign-in to Yahoo Mail, the HTTPS padlock comes up. But after I open an email sent from what I assume to be an insecure server, the padlock and HTTPS disappear from the URL bar, and do not return when I send emails. I have assumed that because HTTPS is not visible that my email about to be sent is NOT secure, and that I should NOT send important documents such as scans of credit cards, etc. Would you say that I’m right in this assumption, or is the initial appearance of HTTPS in my URL bar enough to assure me that the emails I’m ABOUT to send are secure?
https should persist, so yes – I agree with your concern. (And I’m somewhat surprised that Yahoo! might be switching back to non-https.)
Thanks much for your reply. Within about 2 seconds of clicking on an email in my Yahoo! inbox, the Padlock symbol and HTTPS disappear from the URL, and I’m left with seeing only us-mg5.mail.yahoo.com/ etc. HOWEVER, I discovered something today…when I went to copy & paste you the start of the address, the paste result began as follows : https://us-mg5.mail.yahoo.com … Interesting, huh? Nor can I use the back arrow to reveal a hidden HTTPS in the URL. It is totally hidden from me in the URL, but I guess not to my computer. So the question remains, is Yahoo! Mail secured by HTTPS or not? A glance at the URL bar says “No.” (No visual proof of HTTPS) Copying and pasting the URL says “Yes.” I’m not totally convinced of the security of the email either way. Any thoughts?
Follow-up comment to last post. I tested Yahoo! mail using a different browser and you know what I found? There initially appears a Green Padlock with HTTPS, and after clicking on an email in the inbox it changes to a Grey Packlock with a yellow triangle warning (HTTPS remains visible in URL). So the complete disappearance of HTTPS in my URL must have been a browser feature/issue. I must say that this does NOT happen when I’m logged into my Gmail account. I couldn’t find out much about the yellow triangle online. Should I be concerned by that warning about not sending/receiving content that I wish to keep secure?
A Ha! That means that the email message you are viewing contains some non-https content itself. Typically that’s an image embedded in the email. That should only appear if images are enabled for that sender. If images are disabled then the browser should not try to fetch those things, and thus there should be no yellow triangle. My bottom line: it’s secure when reading email from legitimate sources.
I have the same issue with the green lock turning grey with yellow triangle. This happens on every single email no matter what, i refresh the page it goes green and click on email then right back where i strarted with the yellow warning sign. This has been happening for several years i believe. Do i need to get away from yahoo?? It seems this may have started when there was virus going around through yahoo but it’s been going so long i have forgotten. Possibly time to ditch yahoo?……….Thank you for any imput.
Leo’s comment above is actually your answer too. There is nothing wrong with Yahoo. The actual email you are viewing has images from an insecure page, or something like that. Happens in every Yahoo account.
When I go on Facebook the padlock is green https:/which tells me it is secure…but when I go on games, and play scrabble games I get a yellow triangle on top…..Which when I hit on it tells me that attackers can change the look of the page and that your connection to these games are not secure…………should I be alarmed???? I went on google chrome because I could not open videos,and some games. So what would you recommend Leo…will you e-mail me….I want a good fast browser that is secure when I play games as well as security to my list of people.. Can I change so these games are more secure???
Games on Facebook are not necessarily secure or safe. It has nothing to do with your browser. Any browser you use will (or should) show the same result. The safety of any game lies within that game itself – who produced it, and why they produced it. Really, in the long run, the only way to be safe is to do regular backups of your computer. Then you can always recover. And also make sure that you have all your recovery information set for your Facebook page, your email accounts, and all online accounts. Which is the exact same things everyone should be doing whether they play games on Facebook or not.
Until 2 days ago the yellow triangle appeared when I was on a ‘mixed’ page, and would disappear when I would get off of it and ‘refresh’. No problem—I understood why this happened and knew what to do about it.
Now I am getting the yellow triangle on both my mail sign in page, and on my mail page after I do so. Does not go away, refresh or not. Does not go away when I sign in, open email, anything.
Strangely, when I get on my mail from another computer it is OK. So far.
I am very uneasy. This is a new development and there is no obvious cause…no new anything. No crashes, no new software, no apparent reason at all. AND nothing is affected other than my mail.
I use Google Chrome. Other computer mentioned above uses it too.
WHAT is going on???????? Why now? Why just my mail? Is it safe?
Any (simple) advice, hints, or reassurance would be welcome.
Thanks.
Thanks for sharing this article discussing how to do online transactions with full security. Numerous people will be benefited out of your writing….
As Gibson Research has shown, unless you are seeing the green padlock in the address bar, even an https connection may have a different fingerprint.
Read more about it here. https is no longer enough. You must have the EV Certificate.
https://www.grc.com/fingerprints.htm
Hello
When I go to the Outlook login screen, most of the times I see the green padlock, then it says Microsoft Corporation [US] and then https://login.live.com…… and so on (and if I click on the green padlock, it says 256 bit encryption). There are some times (every two days or so) when I don’t see Microsoft Corporation [US] but the green padlock is there (if I click it it says 128 bit encryption) and the address is the same https://login.live.com……. Why does this happen? When I have the 128 encryption instead of 256 and I don’t see Microsoft Corporation [US], am I still on the good site? Are there any problems when it happens?
Thank you!
I have no idea why this is happening other than the fact that Microsoft has many servers and perhaps you just happen to be sent to ones with different levels of encryption. For a normal user, 128 bit should provide sufficient protection as it would take a super computer a long time to crack that at an extremely high cost.
Thank you for your reply.
I was worried because I thought at first that maybe it was a phishing scam or a fake site, since the encryption level changes from time to time and I don’t see Microsoft Corporation [US] all the time.
when i open my bank site it show me on chrome green pad lock that means i am secure or insecure on the site
A green padlock means you are protected.
Green means safe.
What about the white paper symbol. I have the WOT browser extension as well, but considered that they go by internet surfer reviews, it’s hard to tell sometime. And for some reason whenever I use Yahoo mail, I get the yellow hazard symbol instead of the padlock. I have checked my computer for malware and as far as I know, it’s malware free.
I keep getting the yellow triangle with exclamation point on my bank website, where the login is! I am terrified to trust it without updated certificates. How do I go about getting the proper certificates in Chrome?? I guess I dont even know where these “certificates” come from. Can they be downloaded? In settings, I find a spot that has trusted certificates listed. Go Daddy is one of them, but Chase Bank is not?? But I have no idea where to acquire them if I need one! Any advice?
I have the same in my Chrome for Chase.com. And a message saying they are using outdated security standards. Believe it or not, I saw that on Microsoft.com the other day. When I go to chase.com using Firefox it is showing okay on security.
So that brings up an interesting question. You could simply use Firefox so that you have green showing for the security certificate — BUT it’s really the same security protocol on the site. The security on the bank is the same no matter which browser you are using, the two browsers are just interpreting it differently. In the end the choice is up to you. Use the security protocol they have in place and trust – or call the bank and complain.
Certificates are not things you normally need to install yourself. It all should be handled transparently by the websites you visit in the browsers you use. Your website may be out of date, or perhaps your browser’s being extra picky. One thing to try is another browser.
Ah, thank you both! I did notice that Firefox is ok with Chase security after asking the question. So, at least I know I can feel more secure by using a different browser AND I will check to see if my Chrome is up to date as well.
Thanks again.
Whenever I access a website through my phone and I go to a secure page i.e. Tesco Groceries login, the padlock changes to a grey unlocked one – does this suggest that I have malware on my mobile and if so, what’s the best way to get rid of it as I use my phone a lot for online shopping and mobile banking? I already have antivirus on my phone which doesn’t show any problems but I’m worried in case there’s something hidden. Thanks
Unlikely that it’s malware is about all I can say. Typically it’s a poorly coded mobile website.
Yes, it also shows a grey https://, which The connection to askleo.com is encrypted using an obsolete cipher suite. this means Your connection to the site is encrypted, but Google Chrome has found something on the page that could be unwanted images or ads. We suggest you don’t enter private or personal information on this page or Google Chrome can see the site’s certificate, but the site uses a weak security setup (SHA-1 signatures), so your connection might not be private or Proceed with caution. These are common mistakes in websites’ configurations, but that doesn’t guarantee that your connection is secure.
There is a move afoot to “shame” website owners into upgrading their encryption standards. Unfortunately this is no easy task (seriously, it would be many days worth of work on my part – I’d actually have to move to a newer server). This attempt is backfiring on the browsers so I expect that they’ll back off on this warning at some point. Particularly when it comes to Ask Leo! it’s completely safe to ignore.
When I go to yahoo I noticed that the normal home page is not displaying. I also noticed that the padlock icon in front of the web address is not there. Any ideas? It’s only this iPad. If I type yahoo.com on any other iPad the home page appears properly.
It’s only yahoo, Google is fine.
Try deleting your current shortcut. type in the website,if all looks normal,then create a new shortcut.
that “might” work. it has for me in the past.
What is the correct term for the “lock icon”. The proper two word term for this logo?
“lock icon” works. Or padlock. There’s no formal name that I’m aware of.
well there’s this really popular website called Jollychic and i wanted to check to see if its safe and it has no sings
i mean there’s no https or a pad lock
there’s absolutely nothing there and i don’t know if i should purchase the clothes from that site
Sending credit card or bank information on a non https: site can be very dangerous as your financial information can be snatched out of the air. If they have a PayPal payment option, that would protect your financial data, but your address and other information you enter on their page would be out there, potentially available to hackers. It would be a personal decision whether or not to send that information to a non secure site.
Hi Leo,
I ended up on your website because I have just bought and installed an SSL Certificate, my website loads correctly with https, I get no warning from my browser but there is no green lock as I usually see on HTTPS websites. The site is {site removed}.
Hi Leo,
I have a hotmail account. Recently when I sign in the padlock comes on, but once I’m in the account the padlock disappears. I don’t want to send important messages if this means the site is not secure. I get no suitable answers when I google my concern. What must I do to get back the padlock ? I’m not computer savvy.
Sometimes when visiting your site I get an unauthorized script attempting to run.
Why am I getting an i with a circle around it rather than a padlock and HTTPS when I go to http://www.adobe.com or any other website that I know is legitimate and trusted.
If you click on the circle i icon, it will give you information about that site. In the case of Adobe it says “Connection is not secure” (and some information about special permissions). This means it’s not an encrypted connection. It has nothing to do with the site being legitimate or trusted. Many legitimate website don’t opt for secure (encrypted) connections. Some experts believe they should, and there is a good argument for it, but it is not required.
If this happens with, say, gmail, or something like that which one would expect to have SSL/TLS, and would not expect to have an expired or misconfigured certificate, what should the user do (in addition to notifying Google)?
Insecure content on a page like GMail sometimes means that a received email on that page has a link to an insecure site. That in itself isn’t a problem as long as you don’t enter sensitive information (passwords, bank information etc.) on that linked page.
Hi, thanks for the reply. I maybe wasn’t clear, but I didn’t mean to ask about a mixed content warning.
I was trying to ask about if there’s a round icon like the entire page is only http (not https at all), like the question I posted under. Why would that be happening?
I suddenly see an i in a circle at the beginning of some trusted websites (google chrome) – when I click on the i it says the page is not secure. Worryingly this also happens with my online banking site. I’m worried that these sites are being redirected somewhere where my keystrokes or information can be accessed. I have uninstalled Chrome and reinstalled it and run virus checks etc. Should I be worried?
I too have started noticing this in Chrome on sites. Facebook has the green lock, but lots of other sites I visit don’t have the green lock only the round circle with !
When I go to my bank I still get the circle ! and when I click on that it says
{link removed} Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
what does this mean is it safe? I am worried, I never noticed this before only the last couple of days
Check out these two, related, articles that may give you more information on that:
* https://askleo.com/why-am-i-getting-security-certificate-errors/
* http://ask-leo.com/why_does_an_https_certificate_work_under_one_browser_but_not_another.html
the ask leo stuff on this hacker browser is full of junk because i never get the padlock on my browser and i know for sure that the browser i am using is not the browser i want. maybe because i ask for mozilla firefox and at the bottom of the screen it says do you want to upgrade mozilla firefox for a better browser but in the upper right hand corner it says sign in to yahoo. when i specifically asked for mozilla firefox when i set up my browser, yet i continue to get google or yahoo as the browser. we are in trouble if we cant stop this hacker crap. ive had 3 computers and 9 phones all having the same bullshit problem. server error server certificate unknown and there is nothing anyone can do to stop it. ive had two different computer experts who do the same thing try to wipe the pc clean and start from scratch like a factory reset on the phones and pc’s and they never get it back to factory set. you tell me how i get it done. never does https work on the pc or the phones and i am just fed up cause i never know when i have my real browser working. this has been going on for 2 1/2 years now and no fix is in sight. i have talked to microsoft, time warner cable, verizon, boost mobile, h2o, at&t, apple, and a few others with no fix insight. i use a library computer or a flip phone for any internet i use cause everything i bring into my home is infected. i have had all the companies i mentioned come out and look at the wiring and outside the house and even down the street corner to look at all the possibilities it could be and nobody has found anything. we are in deep shit if we dont get better techs in this country. all our cars are run digitally now. what are we gonna do. answer me that. sincerely
frustrated….
ps and it always says on my computer related articles. “https://askleo/blahblahblahetc… ” but it never has “https://www.???whateversite???.com” the www is as important as https or am i totally in left fied. i am really at a loss cause i dont know how these guys are taking over my pc. i must have cleaned it 5 times with no luck and the virus/malware/hacker always returning. now remember this is on both my computers as well as my smartphones. the only thing they dont mess with but try to is my old flip phone. lllllllllllllllllllllllllllllllllllllll help
This would be left field. “www” has nothing to do with security, https, or anything else. More here: https://askleo.com/why_do_some_website_addresses_have_www_and_some_dont_and_why_do_some_work_with_or_without_the_www/
It sounds like your electronic family had the flew “virus” Just keeps getting passed around. “Maybe” your Router and or Modem has been hacked with all your devices linked to it. So even when you get a new router,it will still be on your other devices. As soon as you link of those devices to your new router. The circle of fire
re-ignites. “Try” doing this..copy your PICTURES and CRUCIAL DOCUMENTS on 2 “SEPARATE” Thumb drives or RW DVD’s. Then “Try” turning all your wifi links off. Then wipe each device 1 at a time. Make sure their WI-FI is Disabled. Turn off each device, when it’s done. Then get a new router (and) modem (separate). I own my own modem for that reason. Plus i don’t have to pay for a monthly rental from them. (IP) Make sure each device has a (NEW) virus protection account active. Don’t link up everything at the same time. only link what you “have to” If your phone has unlimited data. Don’t link it to your new engines “yet”. PC only with NO Router at first to see how everything works for a while. If all is good. Fire up the (NEW) Router. Make sure “it” is secure. (use a password phrase. not just one word) Link up one devise at a time for a little while. (few days) Then another..ect… That may be way over kill, But…Thats what I did. And,It did Work for me. P.S. If you go somewhere looking for help. Watch Your Mouth. Don’t sound like such an ASS HAT. Thats how NOT to get help. I just did this incase someone else has the same issues with their stuff. Hopefully it helps them.
Hello Leo, Google Chrome shows an exclamation (!) over my domain even if I already have a SSL certificate installed. What I am doing wrong ? Thanks.
{url removed}
I’ve run into something that has me confused. I visited a site that shows http in the address bar. When I went to the payment page a pop-up window was opened with no address bar. There were all kinds of verbiage that state the site is secure but how do I verify that I’m connected via https to a site with a valid certificate?
Thanks
It will depend on how the popup is programmed into the page. You may want to try right-clicking on the payment page link and select “open in a new tab” and see if you can get directly to that page. If the popup does not go to a separate page it would be safest to assume it is still in the “http” page from where it was initiated.
Hi Leo. This is my first time on your very informative site. I like it alot and plan to keep it in my bookmarks.
I’m “kind of” good with computer stuff. But this one has had me stumped for a while..
I’m all about the GREEN PADLOCK before credit card entry. When I’m on my tablet and checking out. Sometimes I get the green lock for a split second. But it changes to GOLD. Stopping me in my tracks from Getting those things that I want. My PC is old but setup well So it is still strong. (VISTA HOME PREMIUM QUAD CORE) so,I know some things are going to need a PLAN B.
i.e. My Tablet. I get a GRAY PADLOCK HTTPS on the VISTA.
i’ve never saw it switch from green to gold. It baffles me every time…Have you any tips on this issue? It will be much appreciated if you do.
There are two types of SSL Certificates: regular (gold) and extended validation (green). The site must be referencing one of each, and the browser defaults to the gold once seen.
Hi,
I have had my new Microsoft edge less than 2 wks. My green lock has disappeared & has turned to gray. How can I get my green Lock to come back? I am getting an i at times also. I do not know what I have done to it…
It’s a function of the web site you’re visiting, so we’d have to know which one that is.
Can you check if the website BTS x Black Friday is a scam? I’ve done multiple check ups but im still unsure.
If you’re not sure don’t go there.
Hey all, so I have comcast/xfinity with the DOCSIS 3 Router/Modem combo. Recently when logging into my router admin page “10.0.0.1” it dosent have the lock icon, instead it has a symbol of a circle with an “i” inside of the circle “& when I click on the “i” it says your connection to this site is not secure. When clicking on details it says this site could not be verified & that my connection is not encrypted. I cannot remember if it’s always been this way or if there used to be a lock there…? I mean i would think ur routers admin page would be encrypted but what do i know. Is this normal or… HOUSTON WE HAVE A PROBLEM HERE..?
Thanx for any feedback
I am seeing https, and the website shows a padlock as the site loads. I see the “secure.” portion of the URL. But once the site fully loads. I see the i surrounded by a circle indicating not secure, despite the HTTPS and the “secure.” portion of the URL.
I am using Chrome.
Is this safe?
There’s no yes or no answer — it depends on the site. It can be — most typically it’s just a site that loads an image via http: to their https: page (so-called mixed content) which can be a privacy issue, albeit a minor one.