Skip to content

If a site shows the padlock / HTTPS, is it safe?

Short answer

No. The padlock means the transport is encrypted and the certificate is valid for that domain — it says nothing about whether the operator is honest or the content is malicious. Free, automated certificates mean phishing and malware sites almost always have a perfectly valid padlock too. HTTPS protects the channel, not the destination.

This is a user-awareness trap that catches even technical people, because "look for the padlock" was security advice for a decade. The interviewer wants to see if you understand what that padlock actually certifies.

What the padlock really means

The padlock indicates two things and only two things: the connection is encrypted with TLS, and the browser successfully validated a certificate that matches the domain you are visiting. That is it. It is a statement about the channel, not the character of the site. An encrypted connection to a criminal is still an encrypted connection.

Why "valid cert" is no longer a trust signal

Domain-validated certificates are free and automated (e.g. via ACME/Let's Encrypt). An attacker registers a lookalike domain, gets a cert in seconds, and stands up a phishing page with a flawless padlock. Studies have shown a large share of phishing sites now use HTTPS — partly because the padlock reassures victims. The distractor claiming certs require a "security review" describes a process that does not exist for DV.

What actually signals trust

The domain name itself (read it carefully for typosquats), the reputation of the operator, and out-of-band verification. Browsers even removed the old "green EV bar" because users could not reliably interpret it.

What interviewers look for

A firm "no," the channel-versus-destination distinction, and the killer example: phishing sites have valid certificates too. Candidates who equate padlock with safety reveal a dated mental model.

Likely follow-ups

  • What exactly does a domain-validated (DV) certificate prove, and what does it not prove?
  • Why did browsers stop showing 'EV green bars' for extra-validated certs?
  • How do you actually judge whether a site is trustworthy?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.