HTTP vs HTTPS: Why That Padlock Actually Matters
The padlock icon appeared in browsers in the late 1990s to indicate an encrypted connection. For years it was something you checked when entering payment information. Now it's on nearly every site on the web, and paradoxically, users understand it less than ever — because phishing sites have padlocks too.
What HTTPS Actually Does
HTTPS is HTTP layered over TLS — Transport Layer Security. When you connect to an HTTPS site, your browser and the server negotiate a TLS handshake: they agree on a cipher suite, the server presents a certificate proving its identity, and they exchange keys to establish an encrypted channel. From that point, all data between your browser and the server is encrypted and authenticated.
Encrypted means nobody between you and the server — your ISP, the coffee shop Wi-Fi, anyone performing a man-in-the-middle — can read the content of your requests or the server's responses. Authenticated means the certificate system (in theory) guarantees you're talking to the real server and not an impostor. These are two distinct guarantees.
The Padlock Misconception
The padlock means the connection is encrypted. It says nothing about the trustworthiness of the site itself. A phishing site at 'paypa1-secure-login.com' can have a perfectly valid TLS certificate — and therefore a padlock — while being entirely fraudulent. Certificate Authorities issue certificates based on domain control verification, not legitimacy of purpose.
That's the uncomfortable part. Let's Encrypt, which provides free TLS certificates, has made HTTPS ubiquitous and dramatically improved overall web security. It has also made it easy for malicious sites to look identical to legitimate ones from a browser security indicator perspective.
HTTP Still Exists and It's Still a Problem
Google Chrome now marks HTTP sites with a 'Not secure' warning. Despite this, a significant fraction of web traffic still uses unencrypted HTTP — legacy devices, internal networks, some APIs. Unencrypted HTTP traffic is readable by anyone on the network path: your ISP, network administrators, anyone on a shared network.
Certificate Validation Levels
TLS certificates come in three validation levels. DV (Domain Validation) just confirms you control the domain — any automated system can issue these, including Let's Encrypt. OV (Organisation Validation) confirms the organisation exists. EV (Extended Validation) used to show the company name in green in the browser bar — browsers removed that UI element in 2019 because research showed users didn't notice it. All three levels provide equivalent encryption. The difference is only in identity verification.
HSTS: The Enforcement Mechanism
HTTP Strict Transport Security is a response header that tells browsers: 'only ever connect to this domain over HTTPS, for the next X seconds.' Once a browser has seen the HSTS header, it will refuse to make an HTTP connection to that domain — even if you type 'http://' explicitly. This defeats SSL stripping attacks, which rely on downgrading the initial connection before the browser knows the site should be HTTPS.
HSTS preloading goes further. Browsers ship with a hardcoded list of domains that must always use HTTPS — the HSTS preload list. Sites on this list are HTTPS-only before the first visit, eliminating the window where a first-time visitor could be attacked. Submitting to the preload list is a one-way door — getting off it is slow and difficult — so it's only appropriate for sites that are permanently committed to HTTPS.
Check Your IP Security Status
See whether your IP address has any security flags or blacklist entries.
Run Security CheckAbout Kunal Khatri
Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.
Related Articles
TLS 1.3: What Changed and Why You Should Care
TLS 1.3 dropped a decade of accumulated cruft from its predecessor and came out faster, more secure, and harder to attack. Understanding what changed matters for anyone running web infrastructure.
Zero-Day Vulnerabilities: What They Are and Why They're Dangerous
A zero-day is a vulnerability that nobody knows about yet — except the people exploiting it. The timeline from discovery to patch is where real damage happens.
SSL Certificates Explained Without the Jargon
SSL certificates enable HTTPS and underpin trust on the web. The certificate system is more complex — and more fragile — than the padlock icon suggests.
What Is a Botnet and How Your Device Could Be Part of One
Botnets are networks of compromised devices under attacker control. They power spam campaigns, DDoS attacks, and fraud — and your home device might be in one right now.
