What is the Browser Padlock Icon?
If you see that a website has a lock beside it in the search/address bar, that symbol does not mean you’re locked out of it, it means the website is using security where information between your browser and the server is encrypted. It’s a good thing because people between those two points cannot intercept the communication.
Websites with no security will not have this lock symbol showing.
Bottom line… websites with the padlock are good to go to. It means they’re secure.
If you want to learn more about this, I’ve written quite a bit about this topic below and some of it gets technical. Read on…
Are Locked Websites Safe to Go To?
Yes, it means websites with a padlock in the address (or search bar) are using SSL, which is encryption between the server and your browser. The lock symbol in website address does not mean, however, that these websites are free from viruses or malware.
The website security padlock symbol in the address bar says that information between your web browser and the server is encrypted so that other people (like hackers sitting in between your browser and the web server) cannot snoop on what information is being sent back and forth. It looks like gibberish to them.
This is useful for when you are putting sensitive information into a website like your credit card number or social security number. Any page that you’re putting that kind of information into should have that lock symbol showing so that you know the page is secure.
So don’t worry – there’s nothing wrong with your browser and you didn’t do anything wrong. Like I said, it’s a good thing. It’s added security.
Google is encouraging website owners to make all pages of their website secure, so you’re going to start seeing this symbol more and more.
Why do Online Banking and Shopping Websites Have a Padlock Symbol?
That padlock means that the communication between your computer and them is locked. It’s encrypted so that nobody else can read what’s going on. It’s a closed/private session.
To explain how it technically works would be long and boring but here’s a basic explanation. The Internet is a public space – everyone is using it at once. You don’t have a plug in your computer that goes directly to your bank – you have a plug/connection with your computer that goes to everything. The connection is shared – that’s the Internet. It’s like a “party line” in the old days (if anyone still remembers that – I’m actually too young but I heard about it).
To get around everyone being able to snoop on your account password or how much money you have in your account (or social security numbers, credit card numbers – any private information), mathematicians and scientists came out with a way to make your connection with your bank look like gibberish to everyone else except you and your bank. It’s pretty genius, actually.
Is a Website Secure if There’s No Padlock Symbol?
If the Padlock is Open in the Address Bar, is it Safe?
A website with an open padlock symbol is safe only if you are not sending sensitive information to a website – like credit card info, your social security number, etc.
If there is no padlock symbol showing, then you may see a page icon or an icon with an “i” in it. This means the page was not sent to you securely. This may be just fine if there isn’t any sensitive information on the page. If it’s credit card page or a page sent with your contact information, then this isn’t good. You should contact the website’s owner and file a complaint with them.
Pages that don’t display a lock symbol in the web browser but have a “not secure” note or a line through the padlock means parts of the page could still be secure but that’s not the best practice in website design.
You might see a message like: “The site uses SSL, but Google Chrome has detected insecure content on the page. Be careful if you’re entering sensitive information on this page. Insecure content can provide a loophole for someone to change the look of the page.”
It means the connection for the page itself is secure but there are one or more elements on the page that did not get transmitted securely.
It’s very easy for this to happen to a website, so don’t sweat it. One, small change to a website can trigger this. Security is still working but again, one or more elements (images, JavaScripts, etc.) are not being transmitted securely. If one image on a page isn’t secure, your credit card information is still being securely sent, so it’s fine.
An Extended Verification Certificate is Showing (VERY GOOD)
If a website has an Extended Verification Certificate, you’ll see an even bigger green bar. This kind of certificate costs more and it says that the company’s identity has been verified. Some people might even call this a “secure payment symbol.”
This extra verification means a company has been verified to be a real business. It doesn’t mean that companies without this are not real businesses but just that companies that use extended verification certificates really want to show that they are trustworthy.
Do You See https But No Padlock?
Why no padlock?
If there’s not a padlock showing on an secure website or it’s crossed out or has an “x” on it, then it might look like this:
If a website says https in the address bar but there’s no padlock (and you may see a slash through it), then that could mean the website is using a secure port but there isn’t an SSL certificate installed or it’s not currently up to date (was not renewed).
This could show up as a “privacy error” and your web browser will display a warning before it lets you continue on to the website. It’s doing this so that you know there’s a page that’s trying to be secure but it’s not actually secure or their certificate has expired.
“This Website is Using an Invalid Certificate”
When you see this message, it means that the certificate being used isn’t set up right or something doesn’t match up correctly and like it should. This could simply be a web server that’s not set up the right way or it could mean something else is going on. It’s best to stay away from a website where this message is showing.
Certificate is Expired
If a certificate is expired, then security is still working but the website owner or website host did not renew the security (SSL) certificate. You’ll see a warning message about this but you can accept it and get past it and go to the website if you want. They DO have security set up, it’s just expired. They might be working on getting it renewed.
Find Out More About the Security of a Website
To learn more about how a website’s security works, you can click on that lock symbol.
Click on the “Details” link and keep clicking – you can find out quite a bit:
All the lock symbol does is say if the connection is secure or not. You don’t ever know if the website is safe (the software it uses – and no software is 100% secure) from the lock symbol – again, it’s the connection that the lock is there for.
Still Confused?
Here’s a video explaining about the secure connection in your web browser:
Look for the “https” in Your Browser’s Address Bar
See if it shows “https” instead of just “http” – make sure the “s” is in the address bar in your web browser. You should see it and you may see more information about the security as well – depending on how strong the SSL is.
Basic SSL (2048 bit) is secure enough right now.
Some browsers now have the “http://” and “https://” part of the address hidden. You can turn that on if you want and I would suggest doing that so that you can better see which pages are secure and which ones are not.
If you want to turn the http part back on in your browser bar, then here are articles on how to do it:
- Firefox: How do I get firefox to show the http:// in a web address? (support.mozilla.org)
- Safari: How to Show the Full Website URL in Safari for OS X Yosemite & El Capitan (osxdaily.com)
For Chrome, this page explains it:
How to restore the URL in Google Chrome’s omnibox, i.e. always show it without right-click “Show Url” (superuser.com)
-In the omnibox, browse to chrome://flags/#origin-chip-in-omnibox
-Change the setting to “Disabled”
-If the changes don’t take effect immediately (i.e. the full URL is still not shown), close and reopen Chrome
Why no Padlock? What if There Isn’t a Lock Symbol on a Credit Card Page?
The problem that is most likely encountered when a page with a credit card form on it does not have the lock symbol is that there is an element or two on the page that was not transmitted to the website visitor securely.
This item can be anything from a JavaScript file to a CSS file (style sheet) to an image or video. Websites will often have a widget or code they get from another website to post on their website template and since that code has references that are http and not https, those elements end up on https page, casing the web browser to not show the lock symbol since not every element on the page has been transmitted securely.
What if The Lock Symbol is Broken?
Here is what you should do:
- If you notice the absence of a lock symbol on a page and you ended up on here, looking for answers, then please contact the owner of that particular website and make sure they know that their secure pages are missing the lock symbol. Again, those pages should show “https” and not “http” in the address bar (some web browsers are not showing the “http” part anymore, we know. There are ways of turning that back on.
- If you want a page that is not showing a lock symbol on your website fixed, then please contact the Website Maintenance Department at Webstix, submit a ticket and they can get you a quote on that work.
Why is There a Lock on my website?
The padlock doesn’t mean the website is locked down or anything like that, it just means the page is secure and that’s a good thing.
If it’s on a website you own, then that’s fine. It’s telling people that your website is secure and they should trust it more.
How to Fix a Broken Lock Symbol if You Own the Website
To fix it, a few things can be done (by your website developer):
- Items that are not secure must be removed from pages that are secure – meaning pages that have https in the address bar.
- Write some logic into the template/theme file to not show some particular code on a page if the page is secure.
- Change (force) the URLs to https but if the domain hosting that code does not have an SSL certificate installed, then it cannot be done.
Is the SSL Certificate Expired?
Another thing that can wrong is that the SSL certificate is expired. If that’s the case, then the website visitor will see a warning stating that the transaction might not be secure.
Website owners should make sure they know when their SSL certificate is set to expire so that it can be renewed before it expires – this way, people will not see this message.
The First Page Doesn’t “Technically” Need to be Secure
What many people may not understand is that the page you’re putting your credit card information into does not need to be secure itself.
It’s just a form on a page that where you put your information into. For you to first get that page containing that form, the connection did not need to be secure.
However, the page that the information is being submitted TO does have to be https for the transaction to be transmitted securely to the server.
Let’s take a step back for a moment…
Forms (like credit card forms on a page) have three parts:
- The page the form is sitting on.
- The script (and page) the form submits to.
- The results page – often called a “Thank You” page which indicates success.
We call the submit (clicking the “check out” button or whatever) a “post” in web lingo – the form posts to a script (computer program) sitting on your website. This is a PHP or CGI or DotNet program that does something with the information it’s receiving. When you post the form to that script, that communication does need to be secure. That is what makes a transaction secure – well, part of it.
The next part of the secure transaction happens within the script itself. That script can either store the information (which it really shouldn’t if it’s sensitive information like a credit card or social security number) or else it does something else with it like send it through a payment gateway and subsequently from there, the payment gateway connects with a bank to see if funds are available, for example.
The communication from the script (server) to the payment gateway also needs to be secure. There’s no way to tell in your web browser if that communication is secure since it’s beyond your web browser – another layer deep. You just have to trust that things are set up right and that’s where there’s such a thing as PCI Compliance.
Does the first page need to be secure?
Technically, no. That’s what I’m trying to explain here.
Here’s how that is diagrammed:
This shows that the first page does not need a lock symbol (technically) but the other pages definitely do need to be secure.
Best Practices
With that said, people ARE used to seeing the lock symbol on the page that they are putting their information into. So the first page should have a lock symbol and be secure.
If that is done, then you, as the website owner, are showing your customers that you value their security and sensitive information and are conveying to them that you have adequate security in place. Having a lock in the address bar is the best practice and should be followed.
Conclusion
I hope this clears things up a bit – even though I threw a lot of information at you.
What most websites are doing now is just securing every page. That is what Google likes, so it’s good for SEO. When you do this, you want to set up your .htaccess file to force SSL and make sure every page and every item on every page is secure.
If you are putting your credit card information or other sensitive information (social security number, etc.) into a website, it’s best to just make sure that the page you’re putting that into HAS the lock symbol in it. When you see the lock symbol on that page, you see that the website owner cares about security even though that page technically doesn’t need to be secure.
If the lock symbol is not there, then your information could be sent “in the clear” which means anyone between you and the server can intercept that information and use it how they please. Protect your identity and don’t become a victim of identity theft and check for that lock symbol all the time.
Oh, and if you’re still using Internet Explorer for your web browser… then stop – immediately! Your computer may already be hacked. It’s a really bad browser.
Stop Using Internet Explorer… Like, Now! (tonyherman.com)
Please Share!
If you found this article, please share it on Facebook, Twitter or anywhere else. Thanks!
Thanks for a very helpful document.
My nonprofit has a Website and find that we collect credit card info on a page that has no padlock or https in address bar. There is a padlock below the line which contain the credit card and CVV. But the padlock is after the confidential info is collected but presumably before it is transmitted to the contractor’s web site. The contractor maintains that the data is secure. Is it?
Good question but I don’t understand what you mean by “There is a padlock below the line which contain the credit card and CVV” – is that just an image of a padlock on the page? If so, that wouldn’t have any affect on anything. And you can’t really split a page in half saying one half is secure and the other half isn’t. Maybe reply and explain that some more or give me the URL.
If the form on the page “submits to” (technical term meaning “go to”) a secure script/page, then the information IS transmitted securely.
Absolutely fantastic article detailing the Pad Locks appearances and its meaning and what happens under the hood. THANKS !!
You are awesome, man. You answered everything clear and concise. So many people on help sites just blabber on and on and you just get bored and get no answers!! You hit a homerun on this one! I for sure will read your site from here on in! Enjoy the weekend! Thank you again for cutting through the nonsense and giving a clear answer!
It is good to know a website is secure by it showing a padlock. I take it that all that I type into that webpage will be encrypted on their end. But is it still not possible that someone could be recording all my keystrokes on my PC? So all that data I type can still be stolen from me.
I have Avira and Malwarebytes but I don’t know if they are not [vulnerable] in some way.
Good question!
Yes, a keystroke logger, malware or anything like that on your computer can still gather information even though a website connection is secure. The padlock (SSL certificate) only encrypts the data between your computer and the server that hosts the website – nothing more. Yes, it’s encrypted both ways, so on the website’s side as well.
Hi,
The padlock maybe a good thing, but it is taking 10 to 15 minutes to go to the internet site I want. Such as BT.com through Switch for internet comparison, or when I sign a petition for 38Degrees in the UK. If its too slow, how can I turn it off on my Macbook Pro 13 2012 running El Capitan. Recently upgraded security El Capitan and thats when it encrypted my hard drive I thought, oh good its more dafe now! But its a pain waiting to go to my regular backward progress
Helllo
My fiance and I are have a discussion about internet security.
If there is only and I showing and not a green secure symbol is this good or Bad?
My fiance says the I mean information.
I am thinking it means and insecure site and you should not place personal information on it and any information received from such site may be foul too.
What is the correct answer CIA?
If there is both symbols showing what does that mean also?
Thank You
For your answers
Hi Wayne,
Parts of your message are missing or something but a symbol that’s totally green means every item on that page came through securely. Is there a risk if an image or two did not come through securely? No but people that run websites should make sure those problems don’t exist.
February 11, 2017 Sunday Urgent Urgent Urgent
Should a lock (padlock) look the same at all website addresses? The lock is regular at protonmail.com email account log in page in the address bar but on the page itself the lock has a down arrow design in white. When I log in the tab to the browser changes to an I in a circle without me causing it to. I am not sure if I should continue to use my email account.
Hi Sandra, it looks like their logo is a padlock with a down arrow. That’s different than the padlock in your browser indicating if the website is secure or not.
Hello, I can see that this is a bit of an older post, but I am hoping to receive an answer. I purchased unknowingly from a website that had the lower case I symbol within a circle. At the time, I was ignorant of the importance of the padlock. I put in a review, in which I mentioned the security issue…they denied it and responded that “my review did not meet their guidelines”. That is fine that they censor reviews, they have that right I suppose, but is there anything I can do or anybody that I can report them to? As I now believe that this is being done intentionally, as they did not apologize, acknowledge the issue, etc. I emailed them again, and they never responded. I checked the website and it sill is showing up as unsecure, and I know others probably are ignorant of this as well. I just would hate for these people to get away with this. It seems sketchy as the company is UK based, but spread to California as well. The person who tried to charge over 1,000 on my card was from the UK so I am concerned that this is intentional, as the company is based there….. maybe my concerns are unfounded. Please help!
Hi Nicole,
I’ll try to help.
A lower case symbol with a circle sounds more like a copyright symbol than a padlock, so I’m not sure what you mean there.
Typically, a review is for a product, so telling them about a website security issue in a product review would be something they would reject. If there’s another way to communicate with them like a Contact Us form, do that.
As my article explains, the page might actually be secure if the one you get to after you submit a form is secure. Maybe that’s what is going on.
The best thing is to just not use a website that has security that doesn’t look good.
My website padlock outline shows black but is clear on inside of black outline. In other words it does not show green, yellow or red. Just a black outline. Pleas answer as I worry a lot.
Which web browser are you using?
What about fake padlocks? Possible?
Do you know how to make a lock screen asking for per2mission to show your location? I want to put a built in location map on my blogger blog.
I think your website is hacked. Any time I click on interesting me link it open the page below and was no way back. I’m not giving my website address since I’m not sure what is going on. tree days ago I notice sevire slownes of my website and I’m looking for ansver what is cosing it.
I checked with the server and I was toled my website has a normous trafic. It completly surprise me becouse I asked which pages and it was wp-admin (it’s me) and contact page. So all spam I guess.
https://deals.bullionmax.com/silver-bar-giveaway/all-entries/
Thanks for the note, but that’s not a hack, it’s what I call “pop-forwarding” or “pop-tab” marketing and it works pretty well.