What does the padlock in my browser actually mean?

Quick answer

The padlock means the connection between your device and the website is encrypted, so nobody on your Wi-Fi, your office network or your internet provider can read what you send or receive — but it does NOT mean the website itself is honest, legitimate, or safe to trust with your data.

What it's NOT

The padlock is NOT a 'safe site' badge. Phishing sites, scam stores and fake banks all show the same padlock — getting an encryption certificate is free, automatic and takes minutes. 'It has the padlock, so it's the real site' is one of the most damaging misunderstandings on the modern web.

More context

The padlock icon in your browser’s address bar means a single, specific thing: the conversation between your device and the website you are talking to is encrypted using TLS (Transport Layer Security — the modern name for what used to be called SSL). Three guarantees come with that:

  1. Confidentiality. Whoever is in between — your café Wi-Fi, your employer’s network, your internet provider, anyone tapping the wire — sees encrypted noise, not your password or messages.
  2. Integrity. The page you receive has not been altered in transit — nobody injected ads, malware, or fake content between the real site and you.
  3. A weak form of identity. The site presented a certificate that proves it controls the domain in the address bar — paypal.com cannot be served by someone who does not control paypal.com.

That last point is where the misunderstanding lives. The certificate proves the server is the legitimate owner of that exact domain. It does not prove the domain itself is who you think it is. If you reach paypa1.com (with a number 1 instead of an L), the padlock will appear, the encryption will work, and you will type your password to attackers.

What the padlock does NOT say:

  • It does not say the company is real. Anyone can register a domain and get a free TLS certificate from Let’s Encrypt in minutes.
  • It does not say the company is honest. Scam stores, fake banks, romance-scam fronts all have the padlock.
  • It does not say the page is safe to use. A site can be fully encrypted and still try to install malware, harvest your card details, or run a fake-investment scam.
  • It does not say the contents are accurate. Encryption protects transit, not truthfulness.

Because almost every site is HTTPS in 2026, browsers have largely stopped highlighting it as a positive signal and instead warn you when it is missing. The address bar in Chrome, Firefox and Safari is now optimised for the question “what domain am I actually talking to?” — that is the question that catches phishing.

The reading habit that protects you, every time:

  1. Look for the padlock — but consider it minimum hygiene, not proof.
  2. Read the domain from right to left. Find the first single slash. The two segments immediately to its left are the real domain. Everything before that can be anything.
    • paypal.com/login → the real domain is paypal.com.
    • paypal.com.secure-login-alert.io/reset → the real domain is secure-login-alert.io. Not PayPal.
    • account.paypal.com/sign-in → still paypal.com. Fine.
  3. Ask yourself how you arrived on this page. If it was a link in an email, SMS, or ad, treat the page as guilty until proven innocent — even with the padlock.

The padlock is a foundation, not a verdict. Everything else — phishing, malware, scams, fake support — happens on top of perfectly encrypted, padlocked connections.

People also ask

What is the difference between HTTP and HTTPS? +

HTTP sends pages and form submissions in clear text — anyone between you and the site can read your password, your messages, your search queries. HTTPS adds TLS encryption on top, so the same traffic looks like meaningless noise to anyone watching. In 2026, virtually every legitimate site is HTTPS, and most browsers now warn or block plain HTTP.

Can phishing sites have the padlock? +

Yes, and most do. Anyone who owns a domain name can get a free TLS certificate from Let's Encrypt in under five minutes. So 'fake-amazon-login.com' will happily show the padlock; the encryption between you and the scammer's server works perfectly. The padlock confirms encryption, not honesty.

Why did the green bar and company name disappear from browsers? +

It was called 'Extended Validation' and showed the verified company name in green next to the URL. Browsers (Chrome, Firefox, Safari) removed it around 2019-2020 because research showed users were not noticing the difference, attackers found ways to register similar-looking legal entities, and the certificate authority business of selling EV was creating perverse incentives. The current model trusts the address bar itself.

What should I actually check before entering a password? +

Three things, in this order. (1) Is there a padlock? (no padlock = absolute refusal to log in). (2) Is the domain in the address bar exactly the one you expected? Read it from right to left, focusing on the part right before the first slash. (3) Did you reach this page by typing the address or using a saved bookmark, or by clicking a link in an email/SMS/ad? The third is the signal that catches most phishing — links in messages are the primary delivery.

Also explained

What is phishing, and how do I recognise it?

Phishing is when someone sends you a fake message — usually email, SMS or chat — that looks like it comes from your bank, your boss, a delivery service or a friend, hoping you click a link, enter a password or transfer money before you notice the small details that give it away.

What does incognito (private) browsing actually hide?

Incognito mode (also called Private Browsing or InPrivate) tells your browser not to save your history, cookies or form entries on this device — that is all; your employer, your school, your internet provider, the websites you visit and any advertising network on the page can still see exactly what you do.

What is malware, and what's the difference between a virus, ransomware, and a trojan?

Malware is any software written to do something harmful to you or your device — viruses spread, ransomware encrypts your files and demands payment, trojans pretend to be something useful, and spyware quietly watches; in 2026 most home malware arrives through scam downloads, pirated software, and links in phishing messages, not mystery email attachments.
← Back to everyday cybersecurity