April 8, 2019

What does the padlock in your address bar really mean?

What does the padlock in your address bar really mean?

If you have been on the internet much in the last 20-ish years, you may have noticed the padlock symbol next to the URL in your address bar. Here's what it looks like in Chrome:


In Firefox:


In Edge:


You may have noticed this on your mobile device as well:

If you click on the padlock (or go to "Site Information" on your iPhone's Chrome browser), you'll see a message explaining that your connection to the website is "secure":

On the flip-side, you may have noticed what happens when the padlock isn't there, especially in Chrome:

These messages are correct - the padlock symbol means that your connection to the website is "secure" (i.e. encrypted), and no padlock means that the connection is "not secure" (i.e. not encrypted).

However, there can be some confusion about what this really means - and what it does not mean:

What the padlock does mean:

The padlock means that your connection to the website is encrypted in such a way that:

  • The data cannot be read by anyone except you and the website
  • The data cannot be tampered with
  • The website is exactly who they say they are.

Encryption

It may help to start with a basic explanation of what encryption is:

You have a message that you want to send to your friend. You don't want anyone other than your friend to be able to read this message. To do this, you rewrite your message in such a way that every letter is shifted over by 13 places - in other words, every 'A' becomes an 'N', every 'B' becomes an 'O', etc. Your friend knows this, so when they receive your message they shift each letter back over by 13 places and read your original message.

Thankfully our encrypted connections in the real world use a much better method than this - it is called Transport Layer Security, or TLS. When you see the padlock, your connection to that website is using TLS. This guarantees the three things mentioned earlier:

The data cannot be read by anyone else:

Using the example from earlier: because only you and your friend know how the messages are encrypted, no one else can read the actual content of the messages. Another word for this is privacy - anything you send to a website when the padlock is present will be encrypted in such a way that only the website you are sending it to will be able to decrypt. This is true of data that the website sends back to you as well.

The data cannot be tampered with

TLS also guarantees that no one will be able to modify the data. Imagine if you submitted an order online for a life-sized Thor action figure, but someone intercepted that data and changed the delivery address - someone else would be receiving the Norse god that you paid for!

This is also important for data that comes from the website - without TLS, someone could intercept the data and send you viruses and malware instead of the web page that you were trying to view.

The website is who they say that are

Don't overthink this one - it just means that the URL you see in the address bar is the actual website that you are communicating with. In other words, when you browse to https://google.com and see the padlock, you can be sure that you are actually communicating with "google.com" and not someone else pretending to be "google.com"

In short, the padlock ensures that no one else is getting involved in the connection between you and the website.

What the padlock does not mean:

The padlock does not mean that the website itself is safe. If you were to browse to something like https://fake-google.com and see a padlock (don't actually do this), this would not mean that fake-google.com is a good website - just that no one is going to get in the middle of your connection to that website.

When we run phishing campaigns at SEM, I make sure that our fake websites have the padlock because it looks safer than a website with no padlock. Here's an example from the last campaign that we ran - notice the padlock:

When people submit their username and password on this webpage, everything about what the padlock does mean is still true:

  • On its way to my fake login page, the data cannot be read by anyone other than my website and the person who submitted the data.
  • On its way to my fake login page, the data cannot be tampered with. The username and password that the person submitted are guaranteed to come exactly as they were typed. The flip-side is true too: when you browse to this website, it has not been tampered with since it left my webserver.
  • This website is exactly who it says it is. The URL says "https://app.trustamerica.com-liberty.com", and it is 100% true that this is the website that people are communicating with.

But the website itself - "app.trustamerica.com-liberty.com" - is malicious and designed to steal your login information. The padlock does not protect against this.

Summary

  • The padlock guarantees that your data will not be read by anyone else, will not be tampered with, and that you are communicating with the website that is indicated by the URL.
  • The padlock does not guarantee that the website itself is safe. Always consider the URL, the circumstances, and anything else that may seem "off" before submitting data on a website.

One last note: TLS is a good thing as long as we understand what it does and does not do. Every legitimate website should be making an effort to move to TLS encryption, which will cause the padlock to show up. This can be done for $0.00 (https://letsencrypt.org/).