The padlock means you're connected using encryption, so that a hacker would have some difficulty snooping the content of your traffic back and forth to the website.



If you don't see a padlock when you login to your bank's computer, change banks.



If you receive a phishing e-mail, forward it to phishing-report@us-cert.gov, then delete it.



It's likely nothing will happen -- most of that stuff comes from overseas in places where the US govt has no jurisdiction -- but who knows, maybe they'll catch all the stupid ones.

The padlock is one "element" (the Authentication) of a secure server.

There are 2 aspects to "secured" sites: "Encryption" and "Authentication";

and they are distinctly different aspects.



"Encryption" is a method of private communication: nothing else.

When "https" ('s' indicating 'secure') is available for a site, it indicates that traffic goes to whom is indicated in the address bar & encrypted (so no one else can 'read' or intercept it).



It is NOT an indication of reliability, trustworthiness, internal security, or anything else about a any particular entity; the content of the website; or the presence of malware.

That you must do on your own.



The "Authentication" aspect is from whom the "Root Certificate" was issued for a sites certificate.

This is the "recognized" organization (by REPUTATION ONLY), that has done the background check on the receiving website owners: verifying a few BASIC checks. In effect saying "They are who they say they are."

Note however that there is NO REGULATING AUTHORITY FOR THIS 'AUTHENTICATION'; nor for how 'deep' the investigation goes, and can be easily fooled by anyone seeking a certificate.

(See "Security Now" #245; http://www.grc.com/sn/sn-245.htm

(Verisign is one commonly encountered "Authority").



Note: Some sites 'sign' there own certificate & use a commonly available encryption method. Although the traffic is encrypted, and the site may in fact be "on the level", this type of certificate can be questionable at the very least.



Your browser will tell you if you are over 'secure' servers (the 'encryption' aspect) by way of "https" in the URL prefix.

You however, must verify who exactly has issued any "Certificate" for that site (the padlock aspect).

Always right click the browsers "lock", then examine the certificate's pedigree before commencing any data exchanges.



To verify this 'Root Certificate' is legit;

Firefox= browser tools> Options> Advanced> Encryption tab> View certificates> Authorities tab.

IE= Tools> Options> Content> Certificates> Trusted Root....tab.

-Compare their issuing Certificate Authority to these in your browser's official list. Any strange authority could mean some monkey business going on.



This setting helps deter SSL spoofing:

Browser> Tools > Options> > Advanced> Security heading> check "Warn about certificate address mismatch"> OK out.



SSL (aka TLS) is not an absolute state of affairs over the Internet.

(For further discussion: Security Now! with Steve Gibson, Episode 223 for November 19, 2009: The Trouble with SSL:

http://www.grc.com/sn/sn-223.htm



Action on phishing? Mark as spam & delete.

not secure



report as spam