In the early 2010s, cybersecurity trainers told people to “look for the padlock” when browsing. That advice is now actively harmful. The padlock means exactly one thing: the connection between your browser and the server is encrypted. It does not mean the server is run by honest people, your data is handled responsibly, or the site is not a phishing page. In 2025, a majority of phishing sites use HTTPS — often with genuinely valid certificates.
Why phishing sites have valid certificates
Let’s Encrypt is a free, automated certificate authority that issues TLS certificates to any domain that can prove it controls that domain. That “any domain” is the problem. If a scammer registers paypa1-secure-login.top, they can get a valid Let’s Encrypt certificate for it in under a minute. Their phishing site now has a working padlock.
The certificate proves the scammer controls paypa1-secure-login.top. It does not prove anything about PayPal, about the scammer’s intent, or about what happens when you enter your credentials.
The padlock’s original purpose
HTTPS encrypts the network link so an attacker sitting between you and the server can’t read or tamper with the traffic. This is a real, valuable property: when you’re on public wifi, HTTPS prevents the person at the next table from reading your passwords.
It does not prevent the server on the other end from being a scammer’s credential-harvesting page. Once your data reaches the server, encryption stops protecting you — the server has the cleartext.
What actually matters
Ignore the padlock. Focus on these instead:
The domain name
Is the domain actually what it claims to be? Is it paypal.com or paypa1-secure.top? Run suspect URLs through our Phishing Link Checker.
How you got to the site
Did you type the URL yourself (safe) or click a link in an email/text/DM (risky)? 95% of credential-harvesting happens on sites the user reached via a link, not by typing.
Domain age
Was the domain registered last week? Use our Domain Age Lookup. Brand-new domains are a strong phishing signal — legitimate brands have domains that are years or decades old.
The certificate itself
Our SSL Certificate Checker pulls the actual cert and shows its issuer. Let’s Encrypt is fine for legitimate sites too, but on a site claiming to be a bank or major retailer, a 90-day Let’s Encrypt cert is unusual — big brands almost always use long-term extended-validation certificates.
The old advice that still works
- Type URLs yourself rather than clicking links in messages.
- Use a password manager — it won’t autofill on a spoofed domain, which tips you off.
- Enable MFA — even if the scammer gets your password, MFA blocks the login.
- Hover before clicking — see the actual destination URL.
- Trust domain names, not page content — any designer can copy a bank’s login page in an afternoon.
The security industry’s quiet pivot
Major browsers stopped showing the padlock prominently in 2023-2024 for exactly this reason. Chrome replaced the padlock with a neutral icon; Firefox de-emphasized it. The padlock was misleading users into trusting sites that didn’t deserve it.
The industry is slowly moving toward browsing-safety-by-content (Safe Browsing, Microsoft SmartScreen, Google Safe Browsing’s phishing list). Those services check the URL against known phishing databases — a much more useful signal than “is this connection encrypted.”
FAQ
So should I trust sites without HTTPS?
No — you should treat any site without HTTPS as actively unsafe for typing anything sensitive. HTTPS is necessary but not sufficient. Modern browsers now warn on any plain-HTTP form, which is correct.
What’s EV (extended validation) certificate?
EV certificates require the certificate authority to verify the business behind the domain — paperwork, legal registration, phone verification. Used to show up as the green bar with company name. Browsers mostly stopped highlighting EV because users couldn’t tell the difference, so the value of paying for EV has declined. Banks still use them.
Why did Let’s Encrypt make this worse?
Let’s Encrypt democratized HTTPS — it’s now economically free to run an encrypted site. That’s a net good for the internet. The side effect is that the padlock stopped meaning anything about the site’s identity. The solution is better user education, not ending free certificates.