The padlock in your browser is one of the most misunderstood symbols online. Many people see it and assume the site is safe to buy from and honest to deal with. It does not mean that.
HTTPS tells you one specific thing: your connection to the site is encrypted. That is worth having, but it says nothing about who runs the site or whether they intend to treat you fairly. This guide explains what the padlock really tells you and what to check instead.
Paste an address for a free safety check: encryption, malware and phishing, domain age and more.
HTTPS means the data travelling between your device and the website is encrypted, so someone on the same network cannot easily read your password or card number in transit. That is all it guarantees.
It does not confirm that the business is real, that the products exist, or that anyone will honour your order. The padlock is about the pipe your data travels through, not about the person at the other end of it.
Encryption protects the connection, not your money. A scam shop can run on HTTPS just like a real one.
A standard certificate does not verify a company name or address. It only proves control of the domain.
An encrypted page can still host malware or a phishing form. HTTPS does not scan the content.
Lookalike domains can hold a valid certificate too, so the padlock does not confirm you are on the real brand.
Certificates used to cost money and take effort. Today they are free and automatic through services such as Let's Encrypt, and a new site can have a valid certificate within minutes of going live. Scammers use these services just like everyone else.
That is why the padlock is now the norm rather than a mark of trust. There is also a common trap: because browsers show a "Not secure" warning on sites without HTTPS, people read the absence of that warning as a positive endorsement. It is not. A padlock only means the warning does not apply, not that the site earned your trust.
No. HTTPS is necessary, and its absence is a genuine red flag. If a site asks for a password or payment over a plain HTTP connection, do not enter anything, because your details could be read in transit. Ongoing SSL monitoring also helps site owners catch expired or broken certificates early.
The point is balance. Missing HTTPS is a reason to walk away, but present HTTPS proves very little on its own. Treat the padlock as the bare minimum, then judge the site on domain age, reviews, contact details and whether it is flagged for malware or phishing.
No. The padlock only means your connection to the site is encrypted. It says nothing about whether the business is real or honest, so you still need to check other signals before you buy.
Yes. Certificates are free and automatic through services like Let's Encrypt, so scammers get them as easily as legitimate businesses. A padlock on a scam site is common.
A missing padlock is a real red flag, especially on any page that asks for a password or payment. Without encryption your details can be read in transit, so avoid entering sensitive information.
That label appears when a site does not use HTTPS, so the connection is not encrypted. When the label is absent it simply means the connection is encrypted, not that the site itself is trustworthy.
Look at several signals together: domain age, independent reviews, real contact details, and whether the site is flagged for malware or phishing. A free safety check can gather the technical parts for you in seconds.
Free, anonymous, and no signup. Know before you buy.