🔒 What Does the Green Padlock Mean? Is This Web Site Safe? 🔒
Last Updated -
For example Chrome will display a warning if it detects the page has any input fields they deem sensitive. For example a login form with a password field.
Edge will not display the padlock if the page has mixed content. This is when the page is served using HTTPS but makes a request for a resource using HTTP.
This happens when you either upgrade a site and have not fully audited your content and upgraded your links and references to scripts, images, stylesheets, etc.
Don't forget to only reference new resources via HTTP or you can loose your site's padlock.
What Is the Padlock
The padlock, typically green, indicates the page is secure. It is a simple visual queue to the end user they can submit sensitive information to your server. This is because the site uses HTTPS, which requires a security certificate, enabling encryption.Certificates are issued once the site owner's identity has be validated.
A green padlock indicates:
- You are definitely connected to the website whose address is shown in the address bar; the connection has not been intercepted.
- The connection between the browser and the website is encrypted to prevent eavesdropping.
What it does not indicate is just how secure the data is on the server. Sites may not store data, like passwords safely.They may also used compromised or poorly maintained servers, making it easy for hackers to attack.
Transport Layer Security (TLS), better known as SSL, is an extra layer to the HTTP protocol. The 'S' in HTTPS stands for secure.
Requests served via HTTPS are 'wrapped' by the secure layer provided by a TLS certificate. It really sites between HTTP and the TCP layer in the OSI diagram, but let's keep this simple today.
So HTTPS is all about the communication channel between the client and the server, not the server itself. Most browsers have become intelligent enough to detect and track sites with malware or used for phishing scams. They provide big red warning pages.
All browsers visually indicate if a site uses HTTPS with some sort of padlock icon on the left side of the address bar.
Employees, friends and family members should be trained to look for that symbol on any site. If they don't see the symbol and there is any data being submitted to the site tell them to stop!
In the past you would look at the URL to see if https was used. But the average person does not know what this means. Most likely they did not type the protocol part of the URL as most are either clicked or just submitted without the protocol.The browser then assumes HTTP and the server will redirect to HTTPS before providing the content.
Currently there is no official standard as to how browsers should indicate the security state of a web page to the end user.Each major browser is almost experimenting with what works best.
Chrome and FireFox are 'testing the waters' to see what works best. For example, starting this summer any site not served via HTTPS will have a
There are different types of 'padlocks' available because there are three different TLS certificates classifications available.
- Domain: most basic, validates domain ownership
- Organization: requires additional documentation to prove identity in addition to domain ownership
- Extended: more rigid proof required, typically legal proof
The level of scrutiny increases with each type. This means the confidence in identity is increased.
In other words, when you visitPayPal you know it is the real PayPal because you see the green padlock, often with the corporate name displayed because they use an extended certificate.
Most sites wont have either an extended or organization certificate because they cost more money and require more work to receive. Domain validated certificates are the most common certificates because they are typically free and take less than a minute to install.
Love2Dev.com uses a domain validated certificate and there is nothing wrong with doing so. The encryption and protection offered is the same as the extended validated certificates. The difference is the 'confidence' in the owner's identity since more scrutiny is required for the extended certificate.
There are many conversations about the different types of certificates and is it worth it to spend the extra money and time to get the extended certificate.
Personally I have mixed feelings. It is easy to get a domain validated certificate, which means bad guys can get them, and do damage before they are invalidated. I don't think the average site should worry about EVs, but financial institutions,medical and some more popular e-commerce providers should.
If you brand is big enough to attract potential 'bad guys' trying to phish customers then you should get the extended certificate.
Once you do the browser will display your corporate name with the padlock. This is an added queue that the page is really your page.
Ultimately to me, your customer, I know I can trust my interaction with your site.
HTTPS Benefits
The primary HTTPS benefits are:
- Proof of Identity
- Confidence data transferred between client and server integrity
- Preventing common attacks like man in the middle
Of course these are the security benefits. I sharedHow HTTPS Works in a previous article.
Who Issues Certificates?
TLS certificates are issued by a certificate authority (CA). There are many authorities offering certificates.Let's Encrypt has become the most popular source because they offer free certificates.
I use Amazon's Certificate Manager because I host my progressive web applications in AWS. The Certificate Manager takes about 30 seconds to generate a certificate after I submit the request. They even validate ownership through the Route53 DNS service.
Once issued I then apply the certificate to the CloudFront origin serving the site.
Originally Network Solutions was the only certificate authority, back in the early 90s. By the end of the 90s there were a handful of competitors. I used to use Thawte because they were based in Raleigh at the time.
Since then Network Solutions has bought many of those CAs, but more have emerged. Most are great, but others not so much.
Symantec recently had issues with many of the certificates. This has caused problems for many enterprises that use firewalls and routers using Symantec issued certificates.
But that is more of a technical issue, relegated to the responsibilities of your DevOps team.
Certificate authorities must pass a rigorous validation process before they can become an official CA. They must have their certificates trusted at a root level.
When they issue a certificate their credentials, referencing their CA certificate, are included.
The whole certificate process relies on their identity being trusted. If they issue a 'bad' certificate it affects their reputation and possibly the integrity of all the certificates they issue.
It is similar to having a friend vouch for you to enter some exclusive event.
Final Thoughts
The padlock is important to every web site. It not only means the content you serve is secure it means it came from your server and you are who you say you are.
TLS certificates are free and easily obtainable by any site owner. You should be able to install them easily in today's cloud first world. If you can't figure out how to install a certificate with your host and do not use a CDN you are in luck.
Create an account with either AWS or Azure. Provision a CDN service (CloudFront in AWS) and set the origin to your host's URL to your site, not your actual domain. You can then change your DNS to point to the CDN and use their free TLS certificate services to make your site secure. You will also benefit by distributing your content around the globe with a CDN.
![How To Fix 'This Page Is Trying To Load Scripts From Unauthenticated Sources' Chrome Error [Solutions]](https://love2dev.com/img/error-message-laptop-1920x1297.jpg)
