HTTP vs HTTPS: Why That Padlock Actually Matters

The padlock icon appeared in browsers in the late 1990s to indicate an encrypted connection. For years it was something you checked when entering payment information. Now it's on nearly every site on the web, and paradoxically, users understand it less than ever — because phishing sites have padlocks too.

What HTTPS Actually Does

HTTPS is HTTP layered over TLS — Transport Layer Security. When you connect to an HTTPS site, your browser and the server negotiate a TLS handshake: they agree on a cipher suite, the server presents a certificate proving its identity, and they exchange keys to establish an encrypted channel. From that point, all data between your browser and the server is encrypted and authenticated.

Encrypted means nobody between you and the server — your ISP, the coffee shop Wi-Fi, anyone performing a man-in-the-middle — can read the content of your requests or the server's responses. Authenticated means the certificate system (in theory) guarantees you're talking to the real server and not an impostor. These are two distinct guarantees.

The Padlock Misconception

The padlock means the connection is encrypted. It says nothing about the trustworthiness of the site itself. A phishing site at 'paypa1-secure-login.com' can have a perfectly valid TLS certificate — and therefore a padlock — while being entirely fraudulent. Certificate Authorities issue certificates based on domain control verification, not legitimacy of purpose.

Wait — this matters. Let's Encrypt, which provides free TLS certificates, has made HTTPS ubiquitous and has dramatically improved overall web security. It has also made it easy for malicious sites to look identical to legitimate ones from a browser security indicator perspective.

HTTP Still Exists and It's Still a Problem

Google Chrome now marks HTTP sites with a 'Not secure' warning. Despite this, a significant fraction of web traffic still uses unencrypted HTTP — legacy devices, internal networks, some APIs. Unencrypted HTTP traffic is readable by anyone on the network path: your ISP, network administrators, anyone on a shared network.

Certificate Validation Levels

TLS certificates come in three validation levels. DV (Domain Validation) just confirms you control the domain — any automated system can issue these, including Let's Encrypt. OV (Organisation Validation) confirms the organisation exists. EV (Extended Validation) used to show the company name in green in the browser bar — browsers removed that UI element in 2019 because research showed users didn't notice it. All three levels provide equivalent encryption. The difference is only in identity verification.