Sometimes that little padlock in your browser’s address bar changes color, gets an extra symbol layered on top of it, or turns into text. Its basic function is pretty obvious: a normal padlock means the site is safe, while a warning symbol or message means it’s not safe, right? Actually, it’s a bit more complex than that, since the padlock only shows you whether your connection to the site is encrypted with HTTPS and doesn’t provide much insight at all into whether the site itself is legitimate and/or completely secure.
What the “secure” padlock tells you
Chrome/Chromium(), Firefox(), Edge(), and Safari() all have slightly different versions of the “safe” padlock, but they’re all telling you basically the same thing: this site has received an SSL certificate and is encrypting the data it sends you and the data you send back using HTTPS. That means anyone intercepting your traffic won’t be able to see what you’re doing on the site, which is especially important when you’re doing things like entering credit card numbers or personally identifiable information.
In a word, a normal padlock icon lets you know that you’re safely connected to the correct site.
What the “secure” padlock doesn’t tell you
For those of you not up to speed on SSL certificates, they’re digital proofs that the site you’re visiting was registered with a certificate authority by the person or company that owns the site. These entities can opt to pay for a more expensive certificate (an “Extended Validation” or “EV” certificate) that checks to make sure they really are who they say they are (e.g., Amazon.com is owned by the Amazon.com corporation), but pretty much anyone can get their hands on a normal SSL certificate for free without proving anything beyond their ownership of the site.
So while your connection to the site is safe from prying eyes, the site could easily be run by someone sketchy who will take all your safely-transmitted data and do whatever they want with it. Even if the website is being honestly run, though, an encrypted connection means nothing if one of the parties receiving the data is compromised. HTTPS only covers data while it’s being transmitted, so if it gets to the other end and gets stored on a server with poor security or some other fatal flaw, it’s vulnerable.
Bottom line: the padlock means you’re on a safe connection, not a safe website.
All those other padlock symbols
While pretty much every browser uses some form of a closed gray padlock to denote an encrypted connection, different browsers show you different icons depending on what issues they detect on the site you’re visiting. Here are a few you should know:
The “Not Secure” () message replaces the padlock when you’re on an HTTP page or something else is amiss. You can click on the message for more details. If you start typing on an HTTP page, it’ll turn red to emphasize that the data you’re entering might not be transmitted securely.
Firefox’s “Not Secure” message comes in the form of two different symbols: a yellow triangular warning symbol displayed over the padlock () and a red bar crossing out the padlock (). These both mean that the site is insecure, but in slightly different ways:
- The yellow triangle () can mean two things: either the website is partially encrypted (meaning it uses HTTPS but some of the content is coming from an HTTP connection and could be manipulated), or the certificate authority isn’t trusted (meaning the site is using encryption, but its certificate seems shady).
- The red bar () means the site is being delivered over an insecure connection (like HTTP), and you shouldn’t send any sensitive information.
If you’d like to dig into exactly what the warning is telling you, Firefox provides a detailed breakdown if you click the padlock.
While this may change once Edge goes Chromium, Edge’s current system is to display the outline of a padlock () when the connection is secured, a filled green padlock () when the site is using an extended validation certificate, and an “i” () when the connection has some sort of problem, such as with an HTTP connection or mixed HTTP and HTTPS content.
Safari’s padlock icon () like Edge’s, will turn green () if there’s an extended validation certificate. If the connection is not encrypted, you’ll see a “Not Secure” message instead.
The changing faces of the padlock
For quite a long time, most browsers made the padlock a pleasant green color as an indication that the site you were visiting was standing out from the rest by following good security practices. Now, however, HTTPS has basically become the standard, with over fifty percent of the top million sites using it, and the lock has gone gray to indicate that sites that use it aren’t really that special – they’re just upholding the standard.
In the future, Chrome may actually remove the padlock altogether and only notify users when the site is insecure, as a good webpage should be using HTTPS anyway. Even if your page doesn’t process any sensitive information, Google’s search algorithm rewards sites that use encryption, so it’s in every site owner’s best interest to set up an SSL certificate. It might not be a user’s first instinct to check for a padlock, but if they ever see something odd or a warning message in the address bar, they’ll probably think twice before entering any information.
Image credits: SSL (Simple)