We need to talk about the “green padlock”

One of the most commonly given pieces of anti-fraud advice I hear banks, police, and the general public sharing on social media is to always look for a “green padlock” when shopping online. While there is some merit in looking for a so-called “green padlock”, the advice is sometimes quite misleading, and other times just plain wrong, for a number of reasons, leaving the general public both confused and more insecure.

What is the “green padlock”?

Websites that you type in usernames, passwords, credit card numbers, or other sensitive information, should be secured using HTTPS (the correct terminology for “green padlock”) so nobody can snoop or intercept the data you send to the website, or it sends back. HTTPS certificates can cost money and, without getting too technical or over-simplifying things — partly the reason why I think many people have a misconception of this mythical “green padlock” — while websites can use what’s known as a self-signed HTTPS certificate (think of this like a password), it won’t show up in green in your address bar. The green address bar just indicates that the HTTPS certificate used to encrypt the data sent to, and from, your device is encrypted.

Simply put: The green padlock symbol is only a verification by a third party that the connection between your device and website is encrypted.

Green padlock’s can be applied to scam sites too

There seems to be a misconception, certainly when I speak to people, that the “green padlock” is similar in function to Twitter or Facebook’s verified badges, in that someone, somewhere, is deciding whether to issue a certificate or not (and issuance of such a badge indicates legitimacy). Having been through the process of purchasing HTTPS certificates more times than I care to admit, I can assure you all you need is a web address, a credit card, and a cup of coffee.

Let’s say, for example, you owned “faaebook.com” — you could legitimately buy an HTTPS certificate for that domain so that anyone browsing to that site will see this in their address bar:

Obviously I chose the name “facebook” because it’s really close to “facebook.com”. HTTPS certificate issuers don’t care (and shouldn’t) that the name looks a bit like “facebook” so they’ll happily issue the certificate and now I have a nice shiny green bar on my site. It might be obvious to spot the spelling mistake as it’s blown up but if you weren’t watching the address bar in your browser closely, and clicked a link on some other site, you could be lured into thinking you were legitimately browsing Facebook’s actual site.

Fun fact: I’m the proud owner of the domain name “digital-banking.co.uk”. I’m also the proud owner of an HTTPS certificate for that domain, which means rbs.digital-banking.co.uk, barclays.digital-banking.co.uk, any-other-popular-bank-name.digital-banking.co.uk, belongs to me — not your bank. All I need to do is clone a bank website, send out a bunch of phishing emails with that link embedded and Bob’s your uncle!

Added bonus — your connection to my cloned banking website is encrypted using HTTPS, so no pesky fraudsters snooping on you or me will see the information you type into my bogus website.

Anyone can buy one… even with a stolen credit card

HTTPS certificates are relatively cheap to buy, and apply to any domain name you own. A trend we’ve noticed is that fraudsters will use stolen credit cards, or compromised PayPal accounts, to purchase web addresses that look semi-legitimate, an HTTPS certificate to give it that authenticity feel, and a website hosting package. It doesn’t matter if someone reports a site as bogus as it’ll never come back on the fraudster as they’re using someone else’s contact information & billing details.

As I’ve alluded to earlier, purchasing HTTPS certificates is easy, cheap, and relatively painless. Many smaller certificate issuers actually give some certificates out for free. The level of encryption of these certificates is fairly poor, and sometimes the certificates are only valid for a week or two, but if you’re just looking for the padlock symbol quickly and not really caring about the actual security of the people using the site, it’s a fairly easy way to acquire it.

Much like the technology industry, fraud evolves really quickly — far quicker than we can detect, prevent, protect, or even distribute advice to educate. In order to protect and educate as many people as quickly as possible, advice is sometimes over simplified by marketing departments, or people looking to quickly distribute advice, and ends up misleading people. So while the usual “always look for a green padlock” does actually stand, it should come with the added warning of “presence of a green padlock doesn’t authenticate the website is legitimately the one you think it is”.

So, in conclusion, you should always check both the address bar is correct (i.e. facebook.com, twitter.com, rbs.co.uk, etc) and that a green padlock is present.


A few hours after Police Scotland’s original tweet, Iain Cole over on twitter put this tweet up:

Looks legit right? Well, clicking on the link shows this:

Well played sir, well played.

Like what you read? Give Scott McGready a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.