Online Security Basics

HTTPS and SSL Certificates Explained: What the Padlock Really Means

By AntiPhishers Published

HTTPS and SSL Certificates Explained: What the Padlock Really Means

Security Education: This article describes cyber threats for defensive awareness and education purposes only. Understanding how attacks work helps organizations and individuals protect themselves. Never use this information for unauthorized access or malicious purposes.

The padlock icon in your browser’s address bar has become a universal symbol of security online. But many people misunderstand what it actually signifies, and attackers exploit this misunderstanding. HTTPS and SSL/TLS certificates are critical to online security, but they are not a guarantee that a website is trustworthy.

What HTTPS Actually Does

HTTPS (Hypertext Transfer Protocol Secure) encrypts the connection between your browser and the web server using TLS (Transport Layer Security), the modern successor to SSL. This encryption provides three guarantees: confidentiality (no one between you and the server can read the data), integrity (the data cannot be modified in transit without detection), and authentication (you are actually communicating with the server you intended).

When you visit an HTTPS site, your browser and the server perform a TLS handshake. The server presents its SSL/TLS certificate, your browser verifies the certificate against a list of trusted Certificate Authorities (CAs), and both parties agree on encryption keys. All subsequent communication is encrypted.

Without HTTPS, data travels in plaintext. Anyone on the same network, your ISP, or any system routing your traffic can read login credentials, credit card numbers, messages, and any other data exchanged. On HTTP connections, man-in-the-middle attackers can also modify the content you receive, injecting malware or redirecting you to phishing pages.

What the Padlock Does Not Mean

The padlock means your connection is encrypted. It does not mean the website is legitimate, trustworthy, or safe. Attackers obtain SSL certificates for phishing domains easily and cheaply. A study by PhishLabs found that over 80 percent of phishing sites now use HTTPS, displaying the same padlock icon as legitimate sites.

A phishing page at “https://login-paypal-secure.com” shows the padlock, but the domain is not PayPal. The padlock tells you that your connection to the phishing server is encrypted, nothing more. Always verify the actual domain name in the address bar, not just the presence of the padlock.

Types of SSL Certificates

Domain Validation (DV) certificates verify only that the requester controls the domain. They can be obtained for free through Let’s Encrypt in minutes. These provide encryption but no assurance about who operates the website. Most phishing sites use DV certificates.

Organization Validation (OV) certificates require the CA to verify that the organization requesting the certificate is legitimate. The CA checks business registration, physical address, and phone number. These provide a moderate level of assurance.

Extended Validation (EV) certificates require the most rigorous verification, including legal identity, physical existence, and operational status of the organization. Browsers used to display the organization name in green next to the address bar for EV certificates, but most browsers have removed this visual distinction.

How Certificates Get Compromised

CA compromises are rare but devastating. The 2011 DigiNotar breach allowed attackers to issue fraudulent certificates for Google, Microsoft, and other major domains, enabling man-in-the-middle attacks against hundreds of thousands of Iranian users. Certificate Transparency logs, now required by major browsers, make it much harder to issue fraudulent certificates undetected.

Expired certificates do not provide the same guarantees. Browsers display warnings for expired certificates because the domain owner’s identity is no longer being verified. Never click through certificate warnings.

Practical Takeaways

Enable HTTPS-First or HTTPS-Only mode in your browser to get a warning before any HTTP connection. Verify the domain name in the address bar, especially when entering credentials. Check for certificate transparency at crt.sh if you suspect a fraudulent certificate. For businesses, implement HSTS (HTTP Strict Transport Security) headers to ensure browsers never connect to your site over HTTP.

For more on analyzing suspicious URLs, see our phishing URL analysis guide. To understand how attackers create convincing fake websites, read about brand impersonation phishing.

More in Online Security Basics

Password Reuse Dangers: Why One Breach Compromises Everything Email Encryption Guide: Sending Confidential Messages Secure Online Banking: Protecting Your Financial Accounts Ad Blockers and Privacy Extensions: Browsing Protection Tools

View all Online Security Basics articles →