What the “secure” padlock tells you

Chrome/Chromium(), Firefox(), Edge(), and Safari() all have slightly different versions of the “safe” padlock, but they’re all telling you basically the same thing: this site has received an SSL certificate and is encrypting the data it sends you and the data you send back using HTTPS. That means anyone intercepting your traffic won’t be able to see what you’re doing on the site, which is especially important when you’re doing things like entering credit card numbers or personally identifiable information. In a word, a normal padlock icon lets you know that you’re safely connected to the correct site.

What the “secure” padlock doesn’t tell you

So while your connection to the site is safe from prying eyes, the site could easily be run by someone sketchy who will take all your safely-transmitted data and do whatever they want with it. Even if the website is being honestly run, though, an encrypted connection means nothing if one of the parties receiving the data is compromised. HTTPS only covers data while it’s being transmitted, so if it gets to the other end and gets stored on a server with poor security or some other fatal flaw, it’s vulnerable. Bottom line: the padlock means you’re on a safe connection, not a safe website.

All those other padlock symbols

While pretty much every browser uses some form of a closed gray padlock to denote an encrypted connection, different browsers show you different icons depending on what issues they detect on the site you’re visiting. Here are a few you should know:

Chrome

The “Not Secure” () message replaces the padlock when you’re on an HTTP page or something else is amiss. You can click on the message for more details. If you start typing on an HTTP page, it’ll turn red to emphasize that the data you’re entering might not be transmitted securely.

Firefox

Firefox’s “Not Secure” message comes in the form of two different symbols: a yellow triangular warning symbol displayed over the padlock () and a red bar crossing out the padlock (). These both mean that the site is insecure, but in slightly different ways:

The yellow triangle () can mean two things: either the website is partially encrypted (meaning it uses HTTPS but some of the content is coming from an HTTP connection and could be manipulated), or the certificate authority isn’t trusted (meaning the site is using encryption, but its certificate seems shady). The red bar () means the site is being delivered over an insecure connection (like HTTP), and you shouldn’t send any sensitive information.

If you’d like to dig into exactly what the warning is telling you, Firefox provides a detailed breakdown if you click the padlock.

Edge

While this may change once Edge goes Chromium, Edge’s current system is to display the outline of a padlock () when the connection is secured, a filled green padlock () when the site is using an extended validation certificate, and an “i” () when the connection has some sort of problem, such as with an HTTP connection or mixed HTTP and HTTPS content.

Safari

Safari’s padlock icon () like Edge’s, will turn green () if there’s an extended validation certificate. If the connection is not encrypted, you’ll see a “Not Secure” message instead.

The changing faces of the padlock

For quite a long time, most browsers made the padlock a pleasant green color as an indication that the site you were visiting was standing out from the rest by following good security practices. Now, however, HTTPS has basically become the standard, with over fifty percent of the top million sites using it, and the lock has gone gray to indicate that sites that use it aren’t really that special – they’re just upholding the standard. In the future, Chrome may actually remove the padlock altogether and only notify users when the site is insecure, as a good webpage should be using HTTPS anyway. Even if your page doesn’t process any sensitive information, Google’s search algorithm rewards sites that use encryption, so it’s in every site owner’s best interest to set up an SSL certificate. It might not be a user’s first instinct to check for a padlock, but if they ever see something odd or a warning message in the address bar, they’ll probably think twice before entering any information. Image credits: SSL (Simple)