← All Tips/ENCRYPTION
ENCRYPTION

Check the "Lock" Details

A green lock just means the connection is encrypted, not that the site is safe. Verify the Certificate Owner.

The Lock Is Not a Guarantee of Safety

The padlock icon in your browser means one thing: the connection between your browser and the server is encrypted. It does not mean:

  • The site is legitimate
  • The site isn't run by criminals
  • Your data won't be stolen
  • The site is who it claims to be

Let's Encrypt issues free SSL certificates to anyone, automatically, with no identity verification. A phishing site for "paypal-secure-login.com" can have a valid SSL certificate, a green lock, and "HTTPS" — because encryption and identity are separate things.

What the Lock Actually Tells You

When you click the lock icon in Chrome, Firefox, or Safari, you see:

  1. Connection is secure: Traffic is encrypted in transit ✓
  2. Certificate issued to: The organization or domain the certificate was issued to
  3. Certificate authority: Who verified the identity claim

The critical field is "Certificate issued to." For a bank, this should say your bank's legal name, not just the domain.

Types of SSL Certificates

Domain Validated (DV): The cheapest and most common. Proves only that the certificate holder controls the domain. No identity verification. This is what Let's Encrypt issues. A fraudster can have one.

Organization Validated (OV): The certificate authority verified the organization's legal existence. Click the lock → Certificate → Subject to see "O=" (Organization). This provides meaningful identity assurance.

Extended Validation (EV): The most rigorous verification — legal existence, physical address, operational existence all verified. Historically showed the company name in the address bar (browsers have moved away from this visual distinction).

How to Inspect a Certificate

Chrome:

  1. Click the lock → "Connection is secure" → "Certificate is valid"
  2. Check the "Subject" field — who is this certificate actually issued to?
  3. Check "Valid from / to" — is it expired?
  4. Check "Issued by" — is it a recognized certificate authority?

Firefox:

  1. Click the lock → "Connection Secure" → "More information"
  2. Security tab → View Certificate

Red Flags

  • The domain in the certificate doesn't match the site you're visiting
  • The certificate was issued by an unknown or self-signed authority
  • The certificate is expired
  • The organization name in the certificate doesn't match who you think you're talking to

Beyond the Lock: Additional Checks

For high-stakes transactions (banking, wire transfers, entering SSN):

  1. Type the URL directly rather than clicking links
  2. Verify the domain name character by character (watch for unicode look-alikes)
  3. Check the certificate organization name
  4. Look up the domain age on whois — brand new domains (<30 days) are suspicious

The lock tells you the channel is private. You still need to verify you're talking to the right person.

Get your site properly hardened.

The Voice of Cash delivers professional security audits and hands-on implementation.

Speak to a Specialist →
← Previous
Use Quad9 or 1.1.1.1