You’re justified in asking these questions. I suspect that there’s actually something that you’re missing on screen, which is fine.
I do want to cover just exactly what that padlock does (and does not) mean and what the https is all about.
Become a Patron of Ask Leo! and go ad-free!
Signs of a secure site
If you go to an https site, there’s a padlock somewhere, depending on the browser you’re using. You can test this out yourself by visiting an https site.
I’ll throw out https://secure.pugetsoundsoftware.com. That’s just a little example site of my own, but it has a valid certificate and displays a little green padlock to the left of the URL (in Chrome).
Extended verification certificates
There’s also something called extended verification certificates, which some sites will use. If you go to https://paypal.com, that will actually show you a slightly different item in place of the padlock.
In my case, the beginning of the address bar displays a bar with the padlock and the name of the entity (in this case, Paypal.com). That is a level of additional verification.
The issue with the extended validation certificates is simply that they are harder and more expensive to get. You have to prove a few more things about who you are before those certificates will get issued and obviously, you end up having to pay more money. They’re perfect for things like banks, PayPal, and those kinds of scenarios.
Warning signs on a secure site
Now, the padlock may occasionally show up with a line through it, in red, or something else. That typically means something’s wrong.
Usually, it’s an expired certificate, sometimes it’s a server misconfiguration, sometimes it’s user error (Ask Leo!, above, is not available over https). It could also be a clock problem; certificates are time and date based, so if the clock on your PC is wrong, then the validation of the certificate could fail.
It also may mean that the site has been hacked or you have malware on your machine.
In short, if the browser alerts you that something’s wrong with the certificate, don’t just blindly accept it.
Https should typically1 be safe as long as the padlock icon indicates that the certificate is correct. Then you know that you’re visiting the site that you believe you are visiting. But that padlock does need to be somewhere and if you can’t find it or it disappears for some reason, I would absolutely be suspicious. Take a breath and figure out what’s going on before you hand over any of your personal information.