If a site shows the padlock / HTTPS, is it safe?
Short answer
No. The padlock means the transport is encrypted and the certificate is valid for that domain — it says nothing about whether the operator is honest or the content is malicious. Free, automated certificates mean phishing and malware sites almost always have a perfectly valid padlock too. HTTPS protects the channel, not the destination.
This is a user-awareness trap that catches even technical people, because "look for the padlock" was security advice for a decade. The interviewer wants to see if you understand what that padlock actually certifies.
What the padlock really means
The padlock indicates two things and only two things: the connection is encrypted with TLS, and the browser successfully validated a certificate that matches the domain you are visiting. That is it. It is a statement about the channel, not the character of the site. An encrypted connection to a criminal is still an encrypted connection.
Why "valid cert" is no longer a trust signal
Domain-validated certificates are free and automated (e.g. via ACME/Let's Encrypt). An attacker registers a lookalike domain, gets a cert in seconds, and stands up a phishing page with a flawless padlock. Studies have shown a large share of phishing sites now use HTTPS — partly because the padlock reassures victims. The distractor claiming certs require a "security review" describes a process that does not exist for DV.
What actually signals trust
The domain name itself (read it carefully for typosquats), the reputation of the operator, and out-of-band verification. Browsers even removed the old "green EV bar" because users could not reliably interpret it.
What interviewers look for
A firm "no," the channel-versus-destination distinction, and the killer example: phishing sites have valid certificates too. Candidates who equate padlock with safety reveal a dated mental model.
Likely follow-ups
- What exactly does a domain-validated (DV) certificate prove, and what does it not prove?
- Why did browsers stop showing 'EV green bars' for extra-validated certs?
- How do you actually judge whether a site is trustworthy?