Skip to content
Naked Security Naked Security

Advent tip #6: A padlock *inside* a web page? Ignore it!

HTTPS puts the padlock in your browser - but please look in the right place, and don't be fooled by security imagery inside the web page itself.
Written by
December 06, 2015
Naked Security HTTPS padlock TLS web security

By now, you probably know the difference between HTTP and HTTPS.

Many web addresses start with http://, which is short for HyperText Transfer Protocol, the “language” that browsers and web servers use when they talk to each other.

These days, however, an increasing number of website start with https://, which means HTTP with added Security.

HTTPS isn’t perfect – crooks can register to use it, after all, albeit with more difficulty than most legitimate sites – but it helps a lot.

When you make an HTTPS connection, a padlock appears in your browser’s address bar, and you can click on the padlock to find out more about who’s at the other end.

That’s using cryptography to help with authenticity.

Additionally, when you use HTTPS, the data you send back and forth is encrypted, so that other people round about – in the same coffee shop as you, for example – can’t eavesdrop on your network connection and see what you’re saying to your bank.

That’s confidentiality.

Better yet, they can’t intercept and change what your and your bank are discussing.

That’s known in data security language as integrity.

If a site where you would expect security doesn’t use HTTPS, stop at once – you’re probably on a fake site that’s phishing for your password!

But be careful: ALWAYS look for the HTTPS padlock and associated security information in your browser’s address bar.

NEVER rely on anything that’s inside a web page to convince you that the page is secure, because the content of the page is controlled by the web server at the other end.

A picture of a padlock inside a web page is just that: a picture of a padlock.

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

About the Author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.

Follow him on Twitter: @duckblog

Read Similar Articles

4 Comments

Just learnt something new! I always check whether the padlock is in place , but, never knew about clicking into it.

I’m really enjoying this series of timely reminders and the opportunity to learn something new from time to time.

Thank you Paul and Anna for all your work. I hope you both have an excellent week ahead, sincerely Rosie

Reply

sure but trust elements from purely a marketing and conversion rate perspective, a padlock, secured by, ssl badge etc all improve trust and thus sales.

Reply

That’s the idea of the tip – look for the science, not for the marketing :-)

I’ve nothing against sites that do include padlocks and other security-related words and images. But the crooks can, and do, copy legitimate pages in their entirety, including all the “trust marks.” So don’t be distracted by baubles!

Here’s a good example:

https://nakedsecurity.sophos.com/2013/04/19/anatomy-of-a-phish-how-to-spot-a-man-in-the-middle/

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!