user@s3-3:~/s3-3/tools/understanding-ssl-tls-and-https $ cat index.md
S3-3 Tech Guides & Tools
~/tools/understanding-ssl-tls-and-https
Privacy & Security · Jan 2026

Understanding SSL, TLS, and HTTPS: What the Padlock Actually Means

8 min read · S3-3 Tech

Most people have been told that a padlock in the browser's address bar means a site is "safe" or "secure." That's partially true and significantly incomplete. The padlock tells you something specific about how your connection to the site is encrypted — but says almost nothing about whether the site itself is trustworthy. Understanding the actual distinction helps you make better decisions about which sites to trust with sensitive information.

What SSL and TLS Actually Are

SSL (Secure Sockets Layer) was the original protocol for encrypting web traffic, developed in the 1990s. It has several known vulnerabilities and is completely deprecated — no modern browser supports SSL 2.0 or 3.0. The term "SSL" is still used colloquially, but what's actually in use today is TLS (Transport Layer Security), currently at version 1.3 (released 2018).

TLS is a cryptographic protocol that establishes an encrypted channel between your browser and the web server. It does two things:

  1. Authentication: It verifies that you're actually connecting to the server belonging to the domain you typed — not to an attacker who intercepted your traffic.
  2. Encryption: It encrypts all data transmitted between your browser and the server, so anyone who intercepts the traffic sees only encrypted gibberish.

HTTPS (HTTP Secure) is simply HTTP transported over a TLS connection. When a URL starts with "https://" and the browser shows a padlock, it means TLS is in use for that connection.

How TLS Authentication Works (Certificates)

When your browser connects to a site over HTTPS, the server presents a TLS certificate. This certificate contains:

  • The domain name(s) the certificate is valid for
  • The certificate's validity period (typically 90 days or 1–2 years)
  • The public key used for the encrypted connection
  • A digital signature from a Certificate Authority (CA)

Your browser checks the certificate against a list of trusted Certificate Authorities (CAs) built into your OS and browser. If the certificate is valid, signed by a trusted CA, matches the domain you're visiting, and hasn't expired, the browser establishes the encrypted connection and shows the padlock.

If any of these checks fail — the certificate is expired, the domain doesn't match, or it's signed by an untrusted CA — the browser shows a warning page instead of loading the site. This is the "Your connection is not private" warning in Chrome, or the equivalent in other browsers.

What the Padlock Does NOT Tell You

This is where most people's understanding breaks down. The padlock confirms that:

  • Your connection to the server is encrypted
  • The server actually owns the domain you typed

It does NOT confirm that:

  • The site is legitimate, honest, or reputable
  • The site won't steal your data
  • The site isn't a phishing page
  • The company behind the site is real

Getting a TLS certificate requires only that you prove you control a domain name. That proof can be automated and takes about 30 seconds with a tool like Certbot and Let's Encrypt (which issues free certificates). A phishing site can have a valid padlock — it just proves you're securely connected to the phishing site, not that the site is safe.

The practical implication: Check padlock first (no padlock = don't enter credentials). Then check the domain name carefully in the address bar. Phishing sites often use domains like "paypal-secure.com" or "amazon.account-verify.net" — the padlock is green but the domain is wrong. The domain check is more important than the padlock.

Types of TLS Certificates

Not all certificates are equal. Three validation levels exist:

  • Domain Validated (DV): The CA verified only that the certificate applicant controls the domain. No information about the organization is verified. Issued automatically in minutes. This is what Let's Encrypt issues, and what most websites use. The padlock in the browser looks identical to EV certificates.
  • Organization Validated (OV): The CA verified the domain and also confirmed the organization applying is a legitimately registered company. More effort to obtain, but the padlock looks the same to users.
  • Extended Validation (EV): The strictest level — the CA verifies the organization thoroughly including legal existence, physical address, and operational existence. Historically, EV certificates triggered a green address bar with the company name displayed. Most browsers removed this visual distinction in 2019, concluding it didn't meaningfully help users make security decisions.

In current browsers, all three certificate types show the same padlock. The distinction is still meaningful for website operators as a compliance and trust signal, but visual inspection no longer reveals which type a site is using. You can click the padlock icon and inspect the certificate details to see the validation level.

Why HTTPS Matters Even for Sites Without Logins

A common misconception: "I'm not entering a password, so it doesn't matter if the site uses HTTP." HTTPS protects more than credentials:

  • Content integrity: On an HTTP connection, an attacker between you and the server (a network middleperson — common on public Wi-Fi) can modify the page you receive, injecting ads, malware, or changed content. HTTPS prevents this.
  • Privacy from ISPs and networks: HTTP traffic reveals exactly which page you're viewing. HTTPS conceals the page path — your ISP can see you connected to example.com but not which specific article you read.
  • Referrer privacy: Browsers strip the full URL from the Referrer header when linking from HTTPS to HTTP, preventing the destination site from knowing exactly where you came from within the referring HTTPS site.

TLS Version and Cipher Suites

TLS has had multiple versions. TLS 1.0 and 1.1 are deprecated and blocked by all major browsers as of 2021. Sites should be using TLS 1.2 (widely supported) or TLS 1.3 (preferred — faster handshake, stronger security). You can check which TLS version a site is using with tools like SSL Labs' Server Test (ssllabs.com/ssltest), which grades a site's TLS configuration and flags outdated versions or weak cipher suites.

For most users, this is background information — your browser handles TLS negotiation automatically and won't connect using insecure versions. For website operators, running an SSL Labs test on your site and addressing any C or F grade findings is worth doing periodically.

The Short Version

Check for HTTPS/padlock as a baseline — never enter a password or payment information on a site without it. But don't stop there: read the actual domain name in the address bar carefully. The domain is the real identity of who you're connected to. The padlock confirms the connection is encrypted to that domain — not that the domain is trustworthy.