HTTPS is free, instant, and every phishing site has it. Here's why the padlock icon means almost nothing about website safety, and what actually does.
For years, internet safety advice included the same line: “Look for the padlock icon in the address bar. If it’s there, the site is safe.”
That advice was always incomplete. In 2026, it’s actively misleading.
Every phishing site, every fake store, every scam page now has HTTPS. The padlock icon is no longer a signal of trust — it’s a baseline expectation. Here’s why, what changed, and what you should look at instead.
The padlock icon indicates that the connection between your browser and the website’s server is encrypted using TLS (Transport Layer Security). This means:
That’s it. It’s a transport-level guarantee, not a trust-level guarantee.
What the padlock does NOT tell you:
A phishing site that perfectly impersonates your bank can have a valid SSL certificate. The padlock confirms that your password is securely transmitted to the scammer. That’s not a comforting thought.
In the early days of the web, SSL certificates cost hundreds of dollars and required identity verification. Obtaining one was a meaningful investment that filtered out casual scammers.
That changed completely with the launch of Let’s Encrypt in 2015.
Let’s Encrypt provides free, automated SSL certificates to anyone. No identity verification. No business registration. No cost. The process takes about 30 seconds and can be fully automated.
This was a massive win for internet security — encrypting the vast majority of web traffic. But it also eliminated any trust value the padlock once carried. When a security feature becomes free and universal, it stops being a differentiator.
Today, browsers like Chrome and Firefox flag non-HTTPS sites as “Not Secure.” This has created a perverse situation where having HTTPS is expected and its absence is alarming — but its presence tells you nothing.
Browser makers have been gradually de-emphasizing the padlock. Chrome removed the padlock icon in 2023, replacing it with a “tune” icon, because users consistently misinterpreted it as a trust signal.
But the damage was done. Years of “look for the padlock” messaging created a mental model that’s hard to undo. Many users still assume HTTPS equals safe.
Even worse, Extended Validation (EV) certificates — the ones that used to show the company name in the address bar — have been largely phased out by browsers because they were rarely noticed by users and didn’t meaningfully reduce phishing. So the one mechanism that did provide some identity verification is now gone from most browsers.
Scammers understand that users look for the padlock. Here’s how they exploit it:
A scammer registers paypal-secure-verify.com, gets a free Let’s Encrypt certificate, and builds a clone of the PayPal login page. The victim sees the padlock and thinks they’re safe. The certificate is valid. The connection is encrypted. The credentials go straight to the scammer.
Scammers hack a legitimate, HTTPS-enabled website and inject a phishing page or skimming script. The padlock is present because the site genuinely has a valid certificate. The site is compromised, but the connection indicator shows nothing unusual.
Platforms like GitHub Pages, Netlify, Vercel, and Cloudflare Pages provide HTTPS by default. Scammers create phishing pages on these platforms and get free, valid certificates automatically. The subdomain even includes a trusted brand name (e.g., paypal-verify.netlify.app).
If the padlock is useless for trust assessment, what should you look at? Here are the signals that actually matter.
HTTPS is necessary but not sufficient. It’s the seatbelt of the web — you should absolutely use it, but you’re a fool to think it makes driving safe on its own.
The correct mental model is:
Without HTTPS: Immediate red flag. Do not enter any data. With HTTPS: One box checked. Proceed with the rest of your trust assessment.
The padlock answers one question: “Is my data encrypted in transit?” It does not answer the far more important question: “Should I trust the entity on the other end of this connection?”
For that, you need to look at domain history, business verification, content authenticity, external reputation, and technical infrastructure. No single signal is conclusive — but together, they paint a picture that the padlock never could.
The padlock icon is a minimum viable security standard, not a trust indicator. Every legitimate site has it. Every scam site has it. Treating its presence as evidence of safety is one of the most dangerous misconceptions in internet security.
The next time someone tells you to “look for the padlock,” tell them to look further. Because in 2026, the padlock tells you almost nothing about whether the site on your screen deserves your trust.
Disclaimer: This article is for educational purposes and does not constitute professional security advice.
Check any website in 10 seconds
Paste a URL. Get a full trust audit — domain reputation, fraud signals, monetization analysis.
Run a free scan