The lock icon that appears next to a website address is one of the most visible indicators of web security, and one of the most misunderstood. Most people know it means something good, but fewer know exactly what it guarantees — and what it does not.
This guide explains what HTTPS is, how it works, what the lock icon actually confirms, and what to look for when you want to know if a website is genuinely safe to use.
What this covers:
What HTTPS stands for and how it differs from HTTP
How the encrypted connection is established
What the lock icon confirms — and its important limitation
Why HTTPS matters on public networks
How websites obtain SSL/TLS certificates
HTTPS and search engine rankings
What HTTPS Is
HTTPS stands for Hypertext Transfer Protocol Secure. HTTP is the protocol that your browser uses to request and receive web pages. HTTPS is the same protocol with an encryption layer added.
The difference matters in practical terms. Data sent over plain HTTP travels as readable text. Anyone positioned between your device and the website — on a shared network, at a router, or at any point along the route — can read it. A password, a form submission, a credit card number: all visible.
Data sent over HTTPS is encrypted before it leaves your device. Even if someone intercepts the data in transit, they see scrambled content that cannot be read without the decryption key. Only your browser and the website hold that key.
A useful analogy: HTTP is like sending a postcard — the message is readable by anyone who handles it. HTTPS is like sending a sealed envelope — only the intended recipient can open it.
How HTTPS Works
When your browser connects to an HTTPS website, a short negotiation happens before any data is exchanged:
Your browser requests the website's digital certificate, issued by a trusted Certificate Authority (CA).
The browser verifies the certificate — confirming the website is genuinely who it claims to be and that the certificate was issued by a recognized authority.
Browser and website use the certificate to agree on an encryption key.
All subsequent communication is encrypted with that key.
This process, called a TLS handshake, takes milliseconds. After it completes, the connection is secure. Any data you send — login credentials, payment information, form submissions — is encrypted in transit.
What the Lock Icon Means (and Does Not Mean)
The lock icon confirms two things: the connection between your browser and the website is encrypted, and the website's certificate was verified by a recognized Certificate Authority.
What it does not confirm is that the website itself is trustworthy or legitimate.
This is the most important misunderstanding about HTTPS. A fraudulent website — a fake bank login page, a scam shopping site — can and routinely does use HTTPS. The lock icon tells you the connection to that site is private. It says nothing about the intentions of whoever runs the site.
The check to perform before entering sensitive information is not just "is there a lock?" but also "is this the actual website I intended to visit?" Confirm the domain name in the address bar matches the legitimate site. Scam sites often use domains that look similar to real ones — a transposed letter, a different top-level domain, an extra word.
Why HTTPS Matters on Public Networks
On a shared or public network — a café, an airport, a hotel — other devices on the same network can, with the right tools, observe traffic. Without HTTPS, that means readable data: usernames, passwords, the content of forms you submit.
HTTPS makes this interception useless. The encrypted data is visible but unreadable. Your login to a banking site over public Wi-Fi is as secure as it would be on a private network, as long as the site uses HTTPS.
HTTP connections on public networks carry genuine risk. Modern browsers display a "Not Secure" warning for HTTP sites, and submitting sensitive information on an HTTP site on any network — public or private — is inadvisable.
How Websites Obtain HTTPS
For a website to use HTTPS, it needs an SSL/TLS certificate issued by a Certificate Authority. The certificate proves the website controls the domain it is claiming to be.
Let's Encrypt provides free, automatically renewable certificates for any domain owner. Cloudflare also offers free HTTPS as part of its CDN service. Paid certificates from commercial CAs are still used for some purposes (notably extended validation certificates, which display more identity information in the browser), but the free options are sufficient for most sites.
Browser makers maintain a list of trusted Certificate Authorities. When a browser encounters a certificate issued by a CA on that list, it trusts it automatically. When it encounters a certificate from an unknown authority, or a certificate that does not match the domain, it displays a security warning.
HTTPS and Search Rankings
Search engines treat HTTPS as a ranking signal. Google has confirmed that it gives a small but real ranking advantage to HTTPS sites over HTTP equivalents.
For website owners, this means HTTPS is a search engine optimization consideration in addition to a security one. A site serving its content over HTTP is leaving both user security and search visibility on the table. The barrier to switching is low — free certificates are available and most hosting platforms provide HTTPS with a single setting change.
Key Takeaways
HTTPS encrypts data between your browser and the website, preventing anyone intercepting the traffic from reading it.
The lock icon confirms the connection is encrypted and the site's certificate is valid. It does not confirm the website is trustworthy or legitimate.
Always check the domain name matches the real site before entering sensitive information, regardless of whether the lock is present.
HTTP connections on shared or public networks expose your data to anyone monitoring the network. HTTPS protects against this.
Free SSL/TLS certificates from Let's Encrypt and Cloudflare have made HTTPS accessible for any website owner.
Search engines treat HTTPS as a positive ranking signal.
Conclusion
HTTPS protects the channel between your browser and a website. What it does not do is guarantee the website itself is safe. Both things are true simultaneously, and keeping that distinction clear makes for better security habits online.
The lock icon is a good sign. It means your data is not being read in transit. But confirming the domain name is the second check that makes the first one meaningful.
Have a question about browser security indicators or a specific site behavior that seemed suspicious? Share it in the comments.
