Most websites are required to implement HTTPS protocol to protect their visitors’ information. This is mistakenly seen as proof that the website itself is safe to visit and interact with.
Hackers and cybercriminals are counting on this belief to hide behind HTTPS sites and practice their suspicious online activities. With the anticipation that people think they are safe as long as they have the green padlock activated in their browsers.
Does HTTPS (Padlock) mean a website is safe?
An HTTPS padlock does NOT mean the website is secure or safe. It just indicates that the connection to the website is encrypted but doesn’t guarantee in any way that the website itself is not fake or dangerous.
The Difference Between HTTP and HTTPS
The plain HTTP protocol (without ‘s’) is the main mechanism for surfing the internet, it handles the connection between the browser and the visited website. Data to HTTP websites are sent in a plain format so anyone in the middle of the connection can read and modify it.
HTTPS (‘s’ = secure) is an enhanced version of HTTP, it adds an encryption layer to the exchanged information. This means even if attackers managed to hack the network, they won’t be able to read or change the connection information.
When visiting an HTTPS website, the request with all its information is encrypted on the browser side and sent to the website in an unreadable format. When received by the website, the encrypted data are decrypted on the website server which reads them to deliver the required webpage.
How Safe Are HTTPS:// Websites?
An HTTPS:// website is simply a normal website that uses an encrypted HTTPS connection when visitors land on it. This indicates that the connection to the website is encrypted so no one can intercept the exchanged information or modify it.
That said, when submitting personal information or credit card details to an HTTPS website, this information is safe from being stolen by hackers sitting on the network between your browser and the website. Nonetheless, if you don’t trust the website, there is no guarantee this sensitive information is not going to be stolen by the website itself!
To implement an HTTPS connection, websites need to obtain an SSL/TLS certificate that handles the encryption mechanism. Any website, even malicious ones, can obtain this certificate for free and without any inspection of the website’s code or activities.
Of course, these free SSL/TLS certificates are meant to bring free means to protect the online users’ information but are also used by bad people at the same time.
What Does HTTPS Padlock Mean?
HTTPS websites are usually indicated by the https://
prefix and the padlock (lock icon) that appears next to the website URL in the web browsers. If provided, this padlock just means this website has a valid HTTPS certificate and its webpages are being served over HTTPS instead of the plain HTTP protocol. Again, a padlock doesn’t necessarily mean the website itself is not dangerous.
In any case, HTTP websites with no padlock (or a broken one) should be strongly avoided, because they are using an insecure connection. So anyone with network access (even your ISP) is able to steal the information you share with them.