You've probably been told to "look for the padlock" in your browser's address bar before entering sensitive information on a website. While this advice isn't wrong, it's dangerously incomplete. The padlock icon indicates that a site has an SSL certificate and that your connection is encrypted, but it says nothing about the trustworthiness of the site itself. Understanding this distinction is essential for staying safe online.
SSL — Secure Sockets Layer — and its modern successor TLS (Transport Layer Security) are cryptographic protocols that encrypt data transmitted between your browser and a web server. When a site uses SSL/TLS, the URL begins with "https://" rather than "http://", and browsers display the familiar padlock icon.
How SSL Certificates Actually Work
When you visit an HTTPS website, a complex but near-instantaneous process called the "SSL handshake" occurs. Your browser requests the server's SSL certificate, which contains the server's public encryption key and identity information. Your browser verifies the certificate against a list of trusted Certificate Authorities (CAs) — organizations authorized to issue certificates.
If the certificate checks out, your browser and the server establish an encrypted session using a unique session key. From that point forward, all data transmitted between you and the server is encrypted, meaning anyone intercepting the traffic would see only scrambled data rather than readable information.
This encryption protects against man-in-the-middle attacks, where a third party intercepts communications between you and a website. It ensures that the data you send — passwords, credit card numbers, personal information — reaches the intended server without being read or modified in transit.
The Three Types of SSL Certificates
Not all SSL certificates are created equal. Understanding the differences between certificate types can help you assess a site's credibility:
- Domain Validation (DV): The most basic type. The CA only verifies that the applicant controls the domain. DV certificates can be obtained for free in minutes through services like Let's Encrypt. They provide encryption but zero identity verification. Any website — including scam sites — can get one.
- Organization Validation (OV): The CA verifies the organization's identity, including its name, address, and incorporation details. OV certificates provide moderate identity assurance and typically cost $50-$200 per year. They indicate that a real, verified business operates the website.
- Extended Validation (EV): The most rigorous type. The CA conducts extensive verification of the organization's legal identity, physical existence, and operational status. EV certificates cost $100-$500+ per year and were historically displayed with the company name in the browser address bar. While browsers have reduced the visual distinction of EV certificates, the verification behind them remains the most thorough available.
The critical takeaway: a basic DV certificate only means the connection is encrypted. It does not mean the website is legitimate, the business is real, or the operator has been verified in any way.
Why HTTPS Doesn't Equal Safe
This is the most common misconception about SSL certificates, and it's one that scammers actively exploit. According to the Anti-Phishing Working Group, over 80% of phishing sites now use HTTPS. Scammers obtain free DV certificates for their fraudulent sites, display the padlock icon, and rely on users' mistaken belief that the padlock means the site is trustworthy.
Think of it this way: SSL encryption is like an armored truck. It ensures that whatever is being transported arrives securely. But the armored truck doesn't verify what's inside — it could be carrying gold bars or counterfeit bills. Similarly, SSL ensures your data reaches the server securely, but it doesn't verify whether the server belongs to a legitimate operation or a scammer.
"The padlock means your connection is private, not that the website is honest. A scam site with SSL is like a locked room with a thief inside — your conversation is private, but you're talking to the wrong person." — ScamsTester Security Advisory
What to Actually Look For
Instead of relying solely on the padlock icon, adopt a more comprehensive approach to evaluating website security. Click on the padlock icon to view certificate details. Check who issued the certificate, what type it is (DV, OV, or EV), and when it expires. An EV or OV certificate from a well-known CA like DigiCert, GlobalSign, or Sectigo provides more assurance than a free DV certificate.
Look beyond the certificate itself. Check the domain name carefully for subtle misspellings or character substitutions — "arnazon.com" instead of "amazon.com," or "paypa1.com" using a numeral instead of the letter "l." Verify that the URL matches the company you intend to visit by typing it manually rather than clicking email links.
Use ScamsTester's trust score system, which incorporates SSL certificate analysis as one component of a comprehensive evaluation. Our reports show the certificate type, issuer, validity period, and any associated security concerns alongside dozens of other trust indicators.
The State of SSL in 2026
The SSL landscape continues to evolve. Certificate lifespans have been shortened to improve security — most certificates now expire after 90 days to one year, requiring regular renewal that helps ensure ongoing domain control verification. Certificate Transparency logs have become standard, making it possible to detect fraudulently issued certificates more quickly.
Browser vendors continue to refine how they communicate security status to users. The trend has moved away from prominently displaying "secure" indicators (since HTTPS has become the norm) and toward prominently warning when a connection is not secure. This shift acknowledges that HTTPS is a baseline expectation, not a distinguishing feature.
For users, the practical advice remains consistent: treat HTTPS as a minimum requirement, not a trust indicator. Any reputable site should have it, but having it doesn't make a site reputable. Always layer SSL awareness with broader verification practices including trust score checks, business verification, and community reviews.