Back to Blog
Security

HTTP vs HTTPS: Why That Padlock Actually Matters

By Kunal KhatriMar 1, 2026
HTTP vs HTTPS: Why That Padlock Actually Matters

The padlock icon appeared in browsers in the late 1990s to indicate an encrypted connection. For years it was something you checked when entering payment information. Now it's on nearly every site on the web, and paradoxically, users understand it less than ever — because phishing sites have padlocks too.

What HTTPS Actually Does

HTTPS is HTTP layered over TLS — Transport Layer Security. When you connect to an HTTPS site, your browser and the server negotiate a TLS handshake: they agree on a cipher suite, the server presents a certificate proving its identity, and they exchange keys to establish an encrypted channel. From that point, all data between your browser and the server is encrypted and authenticated.

Encrypted means nobody between you and the server — your ISP, the coffee shop Wi-Fi, anyone performing a man-in-the-middle — can read the content of your requests or the server's responses. Authenticated means the certificate system (in theory) guarantees you're talking to the real server and not an impostor. These are two distinct guarantees.

The Padlock Misconception

The padlock means the connection is encrypted. It says nothing about the trustworthiness of the site itself. A phishing site at 'paypa1-secure-login.com' can have a perfectly valid TLS certificate — and therefore a padlock — while being entirely fraudulent. Certificate Authorities issue certificates based on domain control verification, not legitimacy of purpose.

That's the uncomfortable part. Let's Encrypt, which provides free TLS certificates, has made HTTPS ubiquitous and dramatically improved overall web security. It has also made it easy for malicious sites to look identical to legitimate ones from a browser security indicator perspective.

HTTP Still Exists and It's Still a Problem

Google Chrome now marks HTTP sites with a 'Not secure' warning. Despite this, a significant fraction of web traffic still uses unencrypted HTTP — legacy devices, internal networks, some APIs. Unencrypted HTTP traffic is readable by anyone on the network path: your ISP, network administrators, anyone on a shared network.

Certificate Validation Levels

TLS certificates come in three validation levels. DV (Domain Validation) just confirms you control the domain — any automated system can issue these, including Let's Encrypt. OV (Organisation Validation) confirms the organisation exists. EV (Extended Validation) used to show the company name in green in the browser bar — browsers removed that UI element in 2019 because research showed users didn't notice it. All three levels provide equivalent encryption. The difference is only in identity verification.

HSTS: The Enforcement Mechanism

HTTP Strict Transport Security is a response header that tells browsers: 'only ever connect to this domain over HTTPS, for the next X seconds.' Once a browser has seen the HSTS header, it will refuse to make an HTTP connection to that domain — even if you type 'http://' explicitly. This defeats SSL stripping attacks, which rely on downgrading the initial connection before the browser knows the site should be HTTPS.

HSTS preloading goes further. Browsers ship with a hardcoded list of domains that must always use HTTPS — the HSTS preload list. Sites on this list are HTTPS-only before the first visit, eliminating the window where a first-time visitor could be attacked. Submitting to the preload list is a one-way door — getting off it is slow and difficult — so it's only appropriate for sites that are permanently committed to HTTPS.

Check Your IP Security Status

See whether your IP address has any security flags or blacklist entries.

Run Security Check
KK

About Kunal Khatri

Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.

Share this article: