← back to blog
4 min read
  • #https
  • #tls
  • #phishing
  • #security

The padlock proves less than you think

The padlock only proves the connection is encrypted, not that the site is honest. Phishing sites have it too, and your site still needs it anyway.


Plenty of people still check for the padlock in the address bar before typing a card number anywhere. That habit is about fifteen years out of date. Most phishing sites have the padlock now too.

I am studying for Security+ right now, and the certificate material is where I see people get this wrong most often. So here is what the padlock actually proves, what it protects, and why your site still needs it even though it proves less than you think.

What the padlock actually proves

The padlock means the connection between your browser and the server is encrypted with TLS. That is it. It is a statement about the pipe, not about who is on the other end of it.

To get that padlock, a site owner needs a certificate. The common kind is domain validation, and to get one you only have to prove you control the domain. Let's Encrypt hands these out for free, automatically, in seconds. I use them on every site I build. So does every scammer.

If someone registers a lookalike of your bank's domain, with the number one where a lowercase L should be, they can have a padlock on the fake login page in under a minute. The browser will call it secure, because technically it is. The connection to the scammer is fully encrypted. Nobody can eavesdrop on you while you get robbed.

The numbers back this up. The Anti-Phishing Working Group has reported for years that the large majority of phishing pages load over HTTPS. The padlock stopped being a trust signal the moment certificates became free and automatic. That was still a good trade, and I will get to why.

What HTTPS actually protects

Encrypting the pipe is not nothing. Here is what it genuinely buys you:

  • Nobody on the same network can read what you send. If a dog groomer's booking form runs over plain HTTP and a customer fills it out on coffee shop wifi, the name, phone, and address cross the room in plain text. Anyone with free software can capture it.
  • Nobody in the middle can change the page. Without HTTPS, anything sitting between you and the server, like a sketchy hotel router, can inject its own content. Ads, malware, altered prices. With HTTPS, tampering breaks the connection instead of silently working.
  • Passwords and card numbers are unreadable in transit.

Notice what is missing from that list: honesty. HTTPS does not prove the business is real, that the reviews are real, or that the site will treat your data with care. It also does nothing once your data lands on the server. If a site stores passwords in plain text, the encrypted pipe just delivered yours there safely.

Why your site still needs it

If the padlock proves so little, why do I put it on every site I ship? Plain reasons:

  • Browsers punish you without it. Chrome flags plain HTTP pages as "Not secure" right in the address bar. For a small business, that label next to your name costs trust you never earn back.
  • Google uses HTTPS as a ranking signal. A small one, but a nail salon competing on "nails Heber City" needs every small signal it can get.
  • Forms are the whole point of a local business site. Booking, quotes, contact. Sending those unencrypted in 2026 is not a corner you get to cut.
  • It costs nothing. When I built the Susy Nails site, the certificate took zero extra work and zero extra dollars. The hosting issues and renews it automatically.

The honest tradeoff in all this: making certificates free and automatic is exactly what handed scammers their padlocks. I would still take that trade, because before free certificates most small business sites simply ran unencrypted forever. Everyone getting encryption beats almost no one getting it.

How to judge a site, since the padlock cannot

  • Read the domain character by character. The padlock only says you are talking to that exact domain securely. It does not say the domain belongs to who you think.
  • When money is involved, type the address yourself or use your own bookmark. Lookalike domains live in text messages and emails, not in your bookmarks.
  • Check for things a lazy scammer will not fake: a street address you can find on a map, a phone number somebody answers, matching info on their map listing.

And if you run a local business, look at your own site today. If the address bar says "Not secure", every customer sees that too. I do a free 24-hour site audit, three real findings, yours to keep either way, and whether your site handles HTTPS correctly is one of the first things I check.

$ share

community rating

$ ls ./comments

sign in or create an account to rate and comment.

no comments yet, be first.