Do you see that little padlock just before the start of the website address in your browser?

It means you’re secure and you can trust the website right?

Well, not exactly.


What does the padlock do?

The padlock icon means that the website you are visiting has been verified by a CA (certificate authority) as using the HTTPS protocol. This is the protocol used to make sure that all information being sent to and from the website is being encrypted.

That’s great news when doing online banking or any other task that requires safe transmission of your data (passwords etc)

The bad guys have joined the party

Circa 2000 and we were all getting used to the internet for many different tasks; banking, shopping and viewing cat videos on YouTube. We were being told at that time that we should only trust websites with the padlock icon as that would make everything we did much more secure.

Now we know that although it definitely helps, unfortunately, the padlock icon doesn’t have any relevance on whether or not the website you are visiting is malicious or not.

According to the Anti-Phishing Working Group, the number of phishing websites that are using the HTTPS protocol has risen dramatically from 35% in the second quarter of 2018 to a whopping 82% by the 2nd quarter of 2021.

How do we know if we’re secure?

Ronald Reagan once used the phrase “trust but verify” and for this, it’s brilliant advice.

The best advice I can give you now would be to not only make sure that the padlock still appears if you are entering details into a website but also verify where the link to that website has come from.

We can often stop these kinds of phishing attacks by simply checking that the URL looks correct ( not as a lot of malicious sites will try to mimic a legitimate one. Or secondly, if you have been sent a link from someone that you know and it feels a bit “phishy” (pun intended), ask them if they meant to send you that link as they may have been phished themselves.



Greg Charman

Penetration Testing Consultant