The HTTPS padlock lie — why SSL does not mean a website is safe to pay on.

The padlock proves exactly three things, and exactly nothing more:

• The connection is encrypted Nobody between you and the server can read what you are sending. Your card number will not be intercepted on the network.
• The server's identity hasn't been hijacked The site you are connected to actually controls the domain in the URL. A man-in-the-middle attack can't silently swap pages on you.
• A trusted CA issued the certificate Some certificate authority — your browser's trust store agrees with this — vouched that whoever owns the domain proved they owned it.
• What it does NOT prove It does not say the site is honest, the operator is a real business, the page won't steal your money, or that the site isn't actively phishing right now. Mental model: a sealed envelope. Untampered in transit; says nothing about the honesty of the writer.

Until 2015, SSL certificates cost money — small but enough to deter the average phishing operator running 20 throwaway domains. Then Let's Encrypt launched.

• Pre-2015 baseline Phishing sites were predominantly HTTP. The padlock heuristic worked because it correlated with operators who at least spent money on infrastructure.
• Let's Encrypt arrives (Nov 2015) Free, automated DV certificates, valid 90 days, renewable forever. Wonderful for the open web. Also wonderful for phishing.
• By 2018 Majority of phishing domains carry Let's Encrypt certificates. The padlock heuristic stops being a signal — yet most internet safety advice never updates.
• Today Every meaningful CA offers free or near-free DV. A scammer can spin up a fully HTTPS phishing site — padlock included — in under fifteen minutes.

Not all certificates require the same level of proof. The difference matters, even if your browser no longer surfaces it:

• DV (Domain Validation) CA verifies one thing — you control the domain. A scammer who bought flipkart-deals.shop can get a DV cert for it in minutes. Let's Encrypt, ZeroSSL and most free CAs only issue DV.
• OV (Organization Validation) CA verifies that a real registered business owns the domain. Paperwork — business registration, phone verification, sometimes physical address check. Days to issue, ~$50–150/year. Real e-commerce often uses OV.
• EV (Extended Validation) Strictest tier. CA performs detailed background checks — legal existence, operational presence, identity of the requester. $200+/year, week or more to issue. Banks and large financial institutions still use EV.
• Browsers hide the difference Chrome stopped showing the green "Trusted" bar for EV in 2019. Firefox followed. A $0 Let's Encrypt cert and a $300 EV cert from DigiCert now show the exact same padlock. You have to click in to certificate details — almost no user does.

If the padlock is no longer a useful single-bit safety check, three fast follow-ups catch most phishing:

• Certificate issuer Let's Encrypt or ZeroSSL on a site claiming to be a major retailer is a red flag. Real retailers usually pay for OV/EV from Sectigo, DigiCert, GlobalSign or Entrust.
• Cert issue date vs domain age Certificate issued three days ago, on a domain registered last week, on a page asking for card details — scam pattern on autopilot. Match the timeline against the brand it claims to be.
• Subject Alternative Names (SANs) Real companies cover a sensible list of related subdomains. Scam certs often cover wildly unrelated domains because the same CA bundle was reused across many fake sites.

Until ~2019, EV certificates triggered a green address bar with the company's name (PayPal, Inc. (US)). The visual was meant to say "this is the real PayPal".

• Research finding Users didn't notice the green bar. Didn't notice when it was missing either. Scammers worked around it with shell companies and similar-sounding names. The signal was strong in theory, almost useless in practice.
• The removal Chrome and Firefox both decided the green bar created false confidence without measurable safety improvement. Removed.
• Downside EV certificates now have almost no visible signal.
• Upside The padlock finally doesn't pretend to mean more than it does. Treat the padlock as table stakes — its absence is a hard no, its presence is no signal at all. Real safety check is everything else: domain age, WHOIS, reverse IP, blacklist, certificate issuer.

• If I see HTTPS, is the website safe? No. HTTPS only means the connection is encrypted and the certificate is valid. It says nothing about whether the operator is trustworthy. Most phishing sites in 2026 use HTTPS.
• Should I worry about a site without HTTPS? Yes — but for a different reason. HTTP-only sites in 2026 are rare and usually indicate neglect or an abandoned page. Don't enter sensitive data on HTTP, but don't treat HTTPS as the opposite.
• How can I tell what kind of SSL certificate a site has? Click the padlock and view certificate details. Look for "Organization" in the subject — if populated, you are looking at OV or EV. If only the domain is listed, it's a DV certificate.
• Is Let's Encrypt bad? Not at all. Let's Encrypt is a public good that secured millions of sites that would otherwise still be on HTTP. The problem is treating its presence as a trust signal. It proves only that the operator could pass a domain-control check and run a renewal script.