SSL Certificates Explained: What HTTPS Proves — and What It Doesn't
SSL and TLS are the encryption protocols behind the padlock icon. When a URL starts with https://, traffic between your browser and the site is encrypted, so nobody on the network — a coffee-shop Wi-Fi operator, your ISP — can read the passwords or card numbers you submit. Strictly, SSL is the deprecated 1990s protocol and TLS (currently TLS 1.3, RFC 8446) is what actually runs today; "SSL certificate" survives as the everyday name.
How the TLS handshake works
When you open an HTTPS site, browser and server perform a handshake: the server presents its certificate — a cryptographically signed statement from a certificate authority (CA) binding the domain name to a public key — the browser verifies the signature chain against its list of trusted CAs and checks the expiry date and domain match, and the two sides agree on session keys. Everything after that is encrypted. SiteReviewChecker performs exactly this handshake live on every scan; a valid connection is worth 10 of 100 points in the trust score.
HTTPS is now the norm — which changes what it means
Per Google's Transparency Report, roughly 95% of pages loaded in Chrome use HTTPS, up from about half in 2015. Free automated certificate authorities — above all Let's Encrypt, which issues certificates to hundreds of millions of sites — removed both the cost and the effort. That is excellent for privacy, but it means a padlock no longer separates good sites from bad ones.
Why scam sites have padlocks too
A certificate authority verifies that you control a domain — not that you're honest. A scammer who registers paypa1-secure.com gets a perfectly valid certificate for it in minutes. The Anti-Phishing Working Group has reported for years that the large majority of observed phishing sites use HTTPS. The padlock proves the connection to the scammer is encrypted — nothing more.
How to actually use HTTPS as a signal
- Missing or broken HTTPS = disqualifying. Never enter credentials or payment data over plain HTTP or past a certificate warning.
- Present HTTPS = neutral. Continue checking: exact domain spelling, domain age, contact information, reputation.
- Certificate details = context. Click the padlock and confirm the certificate is issued to the exact domain you meant to visit and is not expired.
Frequently asked questions
Is a website with HTTPS always safe?
No. HTTPS proves the connection is encrypted, not that the site operator is honest. Free certificates from Let’s Encrypt take minutes to obtain, and the Anti-Phishing Working Group reports that the large majority of phishing sites use HTTPS. Combine the padlock check with domain age, contact information and reputation research.
What is the difference between SSL and TLS?
TLS (Transport Layer Security) is the modern protocol; SSL (Secure Sockets Layer) is its deprecated predecessor, retired since 2015. The name "SSL certificate" survives out of habit — every certificate issued today is used with TLS, currently TLS 1.2 or TLS 1.3 (RFC 8446).
How do I check a website’s certificate?
Click the padlock (or site settings) icon in the browser address bar and view the certificate details: who it was issued to, who issued it, and its expiry date. A valid certificate on the exact domain you intended to visit is the baseline; a warning page or mismatched domain name means stop.
Sources
- Google Transparency Report — HTTPS encryption on the web
- Let's Encrypt — Statistics
- APWG — Phishing Activity Trends Reports
- IETF RFC 8446 — TLS 1.3
SiteReviewChecker performs a live TLS handshake on every scan — certificate validity is one of 24+ signals in the trust score.